boris larin kaspersky sas 2025 dante memento labs

Kaspersky SAS 2025: GReAT discovers link with Dante spyware and Memento Labs

By Hitech Century | October 27, 2025 | Comments Off on Kaspersky SAS 2025: GReAT discovers link with Dante spyware and Memento Labs

At the Kaspersky Security Analyst 2025 summit in Thailand, researchers from the elite Kaspersky Global Research and Analysis Team (GReAT) revealed that Memento Labs, a successor to the HackingTeam group, is linked to a wave of cyberespionage attacks including Operation ForumTroll that occurred earlier in March 2025.

Kaspersky SAS 2025: GReAT discovers link with Dante spyware and Memento Labs 1

For the uninitiated, Operation ForumTroll was a sophisticated cyberespionage campaign that was uncovered by Kaspersky GReAT.

boris larin kaspersky sas 2025 dante memento labs 2

The campaign leveraged a Chrome zero-day vulnerability, specifically CVE-2025-2783 and saw an advanced persistent threat (APT) group that targeted Russian media outlets, government organisations as well as educational and financial institutions. While the attackers demonstrated strong Russian language skills and cultural knowledge, subtle mistakes suggest they might not be native speakers.

memento labs Attack chain of the Operation ForumTroll

GReAT discovers the trail – LeetAgent, Dante and Memento Labs

When analysing the attacks, researchers saw a peculiar detail – the usage of LeetAgent spyware which utilises commands written in leetspeak, an exceedingly rare feature in APT malware. 

Kaspersky SAS 2025: GReAT discovers link with Dante spyware and Memento Labs 2

Kaspersky GReAT researchers also discovered that LeetAgent’s loader framework – the component responsible for initialising and deploying the malware payload – shared strong similarities with the framework used in another, more sophisticated spyware tool.

This similarity in design and loader framework led researchers to conclude that LeetAgent and this more sophisticated malware were linked and likely shared a common developmental origin.

memento labs The connection between LeetAgent and commercial spyware called Dante

The spyware also employs advanced anti-analysis techniques, including VMProtect obfuscation as well as a sophisticated environment check to determine whether it could safely operate.

The breakthrough came when Kaspersky identified the spyware’s name, designated as Dante, in its code, linking it to a commercial spyware product sold by Memento Labs, the aforementioned successor to HackingTeam. Similarities between Dante and HackingTeam’s Remote Control System (RCS) spyware further reinforced the connection between LeetAgent, Dante, and Memento Labs.

boris larin kaspersky sas 2025 dante memento labs 3

Boris Larin, principal security researcher at Kaspersky GReAT

“While the existence of spyware vendors is well-known in the industry, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging. Uncovering Dante’s origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage. Maybe it is the reason they called it Dante, there is a hell of a journey for anyone who would try to find its roots,” said Boris Larin, principal security researcher at Kaspersky GReAT. For additional in-depth insight into Dante and ForumTroll APT, users can sign up to the Kaspersky Threat Intelligence Portal here.

Posted in Enterprise and tagged , , , ,