Memento Labs CEO Paolo Lezzi has confirmed that the spyware known as Dante—recently detected by Kaspersky during live operations—is a product of his company. According to Lezzi, the sample observed in the incident was an outdated Windows agent slated for end‑of‑support by late 2025, with customers advised to discontinue that version as of December 2024. The detection came amid Kaspersky’s investigation into the “Forum Troll” operation, where attackers exploited the Chrome zero‑day CVE‑2025‑2783.
From Hacking Team to Memento Labs: how Dante entered the commercial spyware market
Founded in 2003, Hacking Team became one of the most recognizable vendors of commercial surveillance software—infamously so after a 2015 breach that leaked more than 400 GB of internal data, including source code. In 2019, its assets were acquired by InTheCyber Group and consolidated into Memento Labs.
Within Memento Labs’ ecosystem, a new toolset branded Dante emerged and was discussed at ISS World MEA in 2023. Lezzi notes that only two former Hacking Team employees remain on staff and that the company serves “fewer than 100” customers. Today, Memento Labs primarily focuses on mobile spyware and frequently sources exploits from third parties; Lezzi added that the Chrome zero‑day used in the recent campaign did not belong to Memento Labs.
Inside “Forum Troll”: spear‑phishing and a Chrome zero‑day exploit chain
Per Kaspersky’s analysis, March 2025 saw a sophisticated operation targeting staff at Russian media, government, academic, and financial institutions. The threat actors delivered tailored emails inviting recipients to the “Primakov Readings” forum, then pivoted to a multi‑stage exploit chain abusing CVE‑2025‑2783 in Google Chrome.
Kaspersky declined to attribute the campaign to a specific country or group. Researchers observed fluent Russian and contextually relevant lures, alongside linguistic errors typical of non‑native speakers—an attribution pattern commonly seen in state‑aligned or commercially supported espionage operations.
Why vendor confirmation matters: supply‑chain dynamics and operator risk
Public acknowledgment from a commercial spyware vendor is unusual in a market known for secrecy. The admission that an obsolete agent was deployed is noteworthy: legacy agents are more likely to be flagged by modern EDR/XDR, often contain long‑documented indicators of compromise (IOCs), and increase the risk of exposing command‑and‑control (C2) infrastructure.
The case underscores the resilience—and opacity—of the commercial spyware supply chain. According to Google’s Threat Analysis Group, more than 40 commercial surveillance vendors are currently active worldwide. In this ecosystem, exploit development is frequently outsourced; even if a spyware vendor does not create zero‑days in‑house, it can integrate third‑party exploit deliverers and chains, accelerating time‑to‑operation while diffusing accountability.
Why outdated agents heighten exposure
Over time, the tactics, techniques and procedures (TTPs) of specific tools become widely known through published signatures, YARA rules, and behavioral profiles. Persisting with retired components increases the likelihood of rapid detection, reverse engineering, and infrastructure takedown. Operational hygiene—timely deprecation, key rotation, and variant refresh—remains critical for operators and a detection opportunity for defenders.
Defending against Dante and commercial spyware campaigns
Patch fast and consistently: prioritize browser and OS updates, especially the fix for CVE‑2025‑2783. Enforce enterprise Chrome policies, including rapid‑update channels, hardened security mode, and Site Isolation. Review and limit high‑risk extensions.
Harden the email perimeter: implement DMARC/DKIM/SPF, attachment sandboxes, and URL reputation. Conduct spear‑phishing simulations tied to real‑world lures like conference invitations to improve user skepticism and reporting.
Elevate endpoint visibility: deploy behavior‑centric EDR/XDR, constrain scripting engines (PowerShell, WMI), and apply the vulnerable driver blocklist. Enforce Zero Trust principles and network segmentation to reduce lateral movement and limit blast radius.
Invest in threat intelligence: subscribe to current IOCs and TTP reports on commercial spyware, and continuously inspect egress traffic for anomalies to suspected C2 nodes. Historical incidents—such as the 2015 Hacking Team breach and multiple cases documented by civil‑society researchers—show that timely intelligence and layered defenses significantly reduce dwell time and operational impact.
The Dante case illustrates how commercial spyware, combined with a fresh zero‑day, can power targeted operations even when legacy components are involved. Organizations can tilt the balance by shrinking patch windows, strengthening behavior‑based detection, and rehearsing phishing‑resilient workflows. The faster the vulnerability window closes, the lower the chances of compromise—and the harder it becomes for spyware vendors and their customers to operate with impunity.
