A new global cyber-espionage threat has surfaced with the discovery of Dante, a commercial surveillance tool developed by the Italian company Memento Labs. For your information, Memento Labs is the rebranded entity of the controversial Italian surveillance firm, Hacking Team.
The cybersecurity firm Kaspersky unveiled the campaign, named Operation ForumTroll, which first hit targets in March 2025. Kaspersky attributes this attack to a specific threat group it tracks as ForumTroll APT.
Phishing Trap and Zero-Day Attack
The operation began with highly personalised phishing emails disguised as invitations to the ‘Primakov Readings’ international forum. These highly personalised messages targeted government bodies, research centres, universities, and media organisations, primarily in Russia and Belarus. The goal, according to Kaspersky’s research, was clearly espionage.
The infection started when a recipient clicked a personalised link. The malicious site ran a quick check, called a Validator, to confirm the victim was a real user before executing the attack. The main trick involved exploiting a zero-day vulnerability in Google Chrome. This specific flaw, tracked as CVE-2025-2783, was particularly clever: it took advantage of a decades-old error in Windows to trick Chrome’s security process.
By doing this, the attackers managed to bypass all of Chrome’s protective barriers (sandbox escape) and gain full control of the system. Kaspersky reported the issue, leading Google to swiftly release a patch. The extensive list of previous zero-day attacks shared by Kaspersky shows this is a continuous, difficult effort to catch such malicious attacks.
Here’s the list of in-the-wild Zero-days reported by Kaspersky:
Adobe
- CVE-2014-0497
- CVE-2014-0515
- CVE-2014-0546
- CVE-2016-4171
- CVE-2017-11292
Microsoft
- CVE-2014-4077
- CVE-2015-2360
- CVE-2016-0034
- CVE-2016-0165
- CVE-2016-3393
- CVE-2018-8174
- CVE-2018-8453
- CVE-2018-8589
- CVE-2018-8611
- CVE-2019-0797
- CVE-2019-0859
- CVE-2019-1458
- CVE-2020-0986
- CVE-2020-1380
- CVE-2021-28310
- CVE-2021-31955
- CVE-2021-31956
- CVE-2021-40449
- CVE-2023-28252
- CVE-2024-30051
- CVE-2019-13720
- CVE-2024-4947
- CVE-2025-2783
Apple
- CVE-2023-32434
- CVE-2023-32435
- CVE-2023-38606
- CVE-2023-41990
New Tools, Old Habits: LeetAgent and Dante
Once compromised, attackers installed a secret component to ensure persistent access. They achieved this using a technique called Component Object Model (COM) hijacking, which involves manipulating the Windows registry. By placing a custom entry in the user’s private settings, the attackers forced legitimate Windows programs to load their malicious code, which then launched the actual spyware LeetAgent, a tool designed to steal files (like documents and spreadsheets), run system commands, and record keystrokes.
Kaspersky’s researchers then found a direct operational and code link between the LeetAgent attacks and a more powerful tool they identified as Dante. This connection confirms a key development in the commercial spyware market. Dante is the new surveillance platform from Memento Labs, the company created after the infamous Hacking Team was acquired and rebranded in 2019.
“We found similar code shared by the exploit, loader, and Dante. Taken together, these findings allow us to conclude that the Operation ForumTroll campaign was also carried out using the same toolset that comes with the Dante spyware,” researchers noted in the blog post.
As per Hackread.com’s earlier coverage, Hacking Team was founded in 2003 and is known for its powerful surveillance software, Da Vinci or Remote Control System (RCS) spyware. A massive 2015 data leak compromised their tools and exposed internal operations, causing their subsequent rebranding.
The discovery of Dante (whose name Kaspersky found written in the code) and its use by the ForumTroll APT group since at least 2022 confirms that the commercial surveillance market is constantly adapting. Despite the Hacking Team’s rebranding, their business of selling powerful spying tools persists.
Researchers suggest that finding and naming the developers of these advanced tools, a process called attribution, is crucial for addressing the true scope of global cyber-espionage.
