Kaspersky's Global Research and Analysis Team (GReAT) Unveils Link Between Dante Spyware and Memento Labs
At the Kaspersky Security Analyst 2025 summit in Thailand, Kaspersky's elite researchers revealed a significant connection between Memento Labs, a successor to the notorious HackingTeam group, and a series of cyberespionage attacks, including the March 2025 Operation ForumTroll. This discovery sheds light on the evolving landscape of cyber threats and the intricate relationships between threat actors.
Operation ForumTroll, a sophisticated cyberespionage campaign uncovered by Kaspersky GReAT, exploited a Chrome zero-day vulnerability (CVE-2025-2783) to target Russian media outlets, government organizations, educational institutions, and financial institutions. The attackers demonstrated advanced Russian language skills and cultural knowledge, albeit with subtle mistakes suggesting they might not be native speakers.
A Unique Signature: LeetAgent and Its Connection to Dante
During their analysis, researchers identified a distinctive feature: the use of LeetAgent spyware, which employs commands written in leetspeak, an extremely rare characteristic in APT malware. This discovery led to a more profound revelation.
Kaspersky GReAT researchers found that LeetAgent's loader framework, responsible for initializing and deploying the malware payload, shared striking similarities with the framework used in another, more sophisticated spyware tool. This similarity in design and loader framework led researchers to conclude that LeetAgent and this more sophisticated malware were linked and likely shared a common developmental origin.
Advanced Anti-Analysis Techniques and the Dante Connection
The spyware also employs advanced anti-analysis techniques, including VMProtect obfuscation and a sophisticated environment check to determine whether it could safely operate. The breakthrough came when Kaspersky identified the spyware's name, designated as Dante, in its code, linking it to a commercial spyware product sold by Memento Labs, the successor to HackingTeam. Similarities between Dante and HackingTeam's Remote Control System (RCS) spyware further reinforced the connection between LeetAgent, Dante, and Memento Labs.
Boris Larin, a principal security researcher at Kaspersky GReAT, emphasized the challenge of uncovering the origins of such spyware, stating, 'While the existence of spyware vendors is well-known, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging. Uncovering Dante’s origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage.'
For those interested in delving deeper into the intricacies of Dante and the ForumTroll APT, Kaspersky offers access to its Threat Intelligence Portal, providing valuable insights into the evolving world of cyber threats.
