Kaspersky researchers said Monday that they’ve unearthed a malware campaign they’re linking to the successor company of the infamous Italy-based surveillance tech firm Hacking Team, and at the same time discovered new commercial malware tied to the same firm.
The malware campaign that Kaspersky dubbed Operation ForumTroll targeted government organizations, media outlets, financial institutions, universities, research centers and other organizations in Russia, with an apparent goal of conducting espionage. It identified it as an advanced persistent threat campaign, a term normally applied to nation-state attackers.
Hacking Team was active from the early 2000s until 2019, when it was acquired and rebranded as Memento Labs. Kaspersky said in a blog post Monday that it detected a wave of malware infections in March that it traced back to 2022 and tied to Memento Labs.
While analyzing that malware, researchers found a previously undiscovered commercial spyware product Memento Labs developed known as “Dante,” according to Kaspersky.
Kaspersky said the malware infections occurred when victims clicked on personalized phishing links via email. It was disguised as an invitation from organizers of the scientific and expert forum for Primakov Readings, an international summit on global politics and economics.
“No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough,” Kaspersky wrote. “The malicious links were personalized and extremely short-lived to avoid detection.”
The campaign exploited a zero-day (or previously unknown and unpatched) vulnerability in Google Chrome. Google patched the vulnerability after it was alerted, Kaspersky said.
Memento Labs did not immediately respond to emails or calls seeking comment Monday.
Despite the detection, the development might actually be a promising one for Memento Labs, which was said to be struggling shortly after transforming from Hacking Team, the most prominent spyware maker in a nation that has become a hotbed for the tech.
Russia-headquartered Kaspersky’s discoveries also marks the second time this month there was an intermingling of spyware and Russian targets, following Zimperium’s revelations about ClayRat.
There was some overlap between the Operation ForumTroll malware campaign and the Dante spyware, but it wasn’t exact, Kaspersky wrote.
“Although we didn’t see the ForumTroll APT group using Dante in the Operation ForumTroll campaign, we have observed its use in other attacks linked to this group,” the blog post states. “Notably, we saw several minor similarities between this attack and others involving Dante, such as similar file system paths, the same persistence mechanism, data hidden in font files, and other minor details. Most importantly, we found similar code shared by the exploit, loader, and Dante.”
