Kaspersky researchers have reported the first confirmed in-the-wild deployment of the commercial surveillance platform Dante, attributed to Memento Labs (formerly Hacking Team). The tooling surfaced during the investigation of an advanced persistent threat (APT) operation dubbed Forum Troll, which targeted personnel at Russian media, government, education, and financial institutions.
From Hacking Team to Memento Labs: a commercial spyware lineage
Hacking Team, one of the most high-profile vendors of so-called “lawful intercept” spyware, supplied Remote Control System (RCS) beginning in 2003, enabling file exfiltration, message interception, and remote microphone/camera control. Following a 2015 breach that leaked over 400 GB of internal data and source code, the company’s operations were severely curtailed. In 2019, Hacking Team became part of the InTheCyber Group and rebranded as Memento Labs. At ISS World MEA 2023, the firm showcased Dante, though public evidence of field use had not surfaced until now.
Forum Troll: Chrome zero‑day chain and the LeetAgent backdoor
According to Kaspersky, the Forum Troll campaign, observed in March 2025, employed a zero‑day exploit chain that included a Chrome vulnerability tracked as CVE‑2025‑2783. Targets received tailored emails inviting them to the Primakov Readings, a well-known research and policy forum. Visiting the embedded link with Chrome was sufficient to trigger infection—no further user interaction required—consistent with modern “drive-by” exploitation.
For post‑exploitation control, the operators used the LeetAgent backdoor, whose command set is stylized in leetspeak—an unusual choice for state‑grade operations. LeetAgent activity has been observed since 2022 against organizations and individuals in Russia and Belarus. The primary objective of the campaign was cyberespionage, including covert collection and persistence.
Attribution signals: why Dante points to Memento Labs
Code artifacts, versioning, and overlap
During triage of the attackers’ toolkit, analysts identified a previously undocumented component that mapped to Dante. Attribution indicators include hardcoded strings such as “Dante” and “version 2.0”, consistent with Memento Labs’ 2023 presentation, as well as code overlaps between Dante and other utilities observed in Forum Troll. While attribution in closed‑source commercial tooling is inherently challenging, these signals provide a coherent technical link.
Inside Dante: layered evasion, anti-analysis, and a C2 “orchestrator”
Anti-analysis stack: VMProtect, debugger checks, and API stealth
The spyware is packaged with VMProtect, complicating static analysis by obfuscating control flow, hiding imports, and adding anti‑debugging gates. To blunt user‑mode hooks, Dante resolves API targets via hashed lookups and, where possible, invokes system calls directly—techniques that reduce the visibility of monitoring tools. It also inspects Windows Event Logs for forensic tooling artifacts, probes for sandboxes by timing operations and scanning for telltale libraries, and validates process parameters for signs of instrumentation.
Orchestrator and C2: HTTPS communications, modularity, and self‑destruct
After environment validation, Dante decrypts its configuration (a simple XOR scheme) and launches an orchestrator camouflaged as a font resource. The orchestrator handles HTTPS command‑and‑control, module management, configuration updates, and self‑protection. Modules can be loaded from memory or disk, with file paths derived from a Base64‑encoded GUID‑based infection identifier. Supplemental parameters are stored in the registry using the same scheme. If the implant fails to receive C2 tasking within a defined window, Dante removes itself and its artifacts, frustrating post‑incident forensics. At the time of reporting, analysts had not recovered additional modules from active infections.
Why this matters: commercial spyware in modern APT tradecraft
The case underscores the diffusion of commercial surveillance capabilities into high‑end threat operations. Google Project Zero tracked 61 in‑the‑wild zero‑day exploits in 2023, a reminder that well‑resourced actors routinely pair browser 0‑days with stealthy implants to achieve rapid, click‑less compromise. Dante’s combination of strong anti‑analysis, API evasion, and a modular C2 layer aligns with current best‑of‑breed tradecraft seen across commercial and bespoke toolsets.
Defensive guidance: reduce exposure and raise detection fidelity
Organizations should prioritize rapid patching of browsers and operating systems, enforce hardened update policies, and exercise anti‑phishing controls (targeted awareness campaigns, link isolation, and attachment sandboxing). Strengthen telemetry by enabling and monitoring Windows Event Logs and deploying EDR/NGAV with behavioral detection and process isolation. High‑risk entities should subscribe to threat intelligence (TI) feeds and run proactive threat hunting focused on anomalous HTTPS egress, suspicious registry usage tied to GUID-like keys, and VMProtect‑packed binaries with direct system call patterns.
The Forum Troll operation signals that Dante has moved from the showroom to real operations. Continuous patching, layered detection, and proactive hunting remain the most effective countermeasures against 0‑day‑driven espionage campaigns. Security teams should revisit browser exploitation playbooks, validate containment procedures for modular implants, and ensure executive awareness of the evolving commercial spyware landscape.
