Announced at SASCON 2025, Kaspersky spots spyware from a long-dormant hacker group

Earlier today, Kaspersky announced that its global research and analysis team (GReAT) has uncovered evidence linking the HackingTeam successor, Memento Labs, to a new wave of cyber espionage attacks. The announcement took place on the first day of the Security Analyst Summit in Thailand, which MENA TECH is attending as the event’s exclusive Middle East media partner.

The discovery stems from an investigation into Operation ForumTroll, an Advanced Persistent Threat (APT) campaign that exploited a zero-day vulnerability in Google Chrome.

In March 2025, Kaspersky GReAT brought to light Operation ForumTroll, a sophisticated cyberespionage campaign that exploited a Chrome zero-day vulnerability, CVE-2025-2783. The APT group responsible for the attack sent personalized phishing emails disguised as invitations to the Primakov Readings forum, targeting Russian media outlets, government agencies, educational, and financial institutions.

While investigating ForumTroll, researchers identified that the attackers used a spyware called LeetAgent, which stood out because its commands were written in leetspeak—a rare feature in APT malware. Further analysis revealed similarities between its toolset and a more advanced spyware that Kaspersky GReAT has observed in other attacks. After determining that, in some cases, the latter was launched by LeetAgent or that they shared a loader framework, researchers confirmed the connection between the two, as well as between the attacks.

MENA TECH attending #theSAS2025 in Thailand

Although the other spyware used advanced anti-analysis techniques, including VMProtect obfuscation, Kaspersky was able to find the malware’s name in the code and identify it as Dante. The researchers found that Memento Labs, the rebranded successor to HackingTeam, promoted a commercial spyware with the same name. Additionally, the latest samples of HackingTeam’s Remote Control System spyware, obtained by Kaspersky GReAT, are similar to Dante. 

“While the existence of spyware vendors is well-known in the industry, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging. Uncovering Dante’s origins demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage. Maybe it is the reason they called it Dante — there’s a hell of a journey for anyone who would try to find its roots,” said Boris Larin, principal security researcher at Kaspersky GReAT.

A snippet from the Kaspersky Security Analyst Summit

To avoid detection, Dante uses a unique approach to analyze its environment before determining whether it can safely perform its functions.

The researchers traced the first use of LeetAgent back to 2022 and found more attacks by ForumTroll APT targeting organizations and individuals in Russia and Belarus. The group is notable for its strong command of Russian and understanding of local nuances, which Kaspersky observed in other campaigns linked to this APT threat. However, occasional mistakes indicate that the attackers were not native speakers.

The attack leveraging LeetAgent was first detected by Kaspersky Next XDR Expert. The full details of this research, as well as future updates on ForumTroll APT and Dante, are available to customers of the APT reporting service through the Kaspersky Threat Intelligence Portal.