Kaspersky’s Global Research and Analysis Team (GReAT) has identified new cyber activity linked to Memento Labs, the successor to the disbanded HackingTeam. The investigation uncovered ties between Memento Labs and a spyware campaign called Operation ForumTroll, which exploited a previously unknown Chrome zero-day vulnerability. The findings were presented at the 2025 Security Analyst Summit in Thailand.
Operation ForumTroll and the LeetAgent Spyware
In early 2025, Kaspersky experts analysed a series of targeted attacks delivered through phishing messages disguised as invitations to the “Primakov Readings” conference. The campaign specifically targeted Russian government departments, financial institutions, educational organisations and media outlets. Embedded links exploited CVE-2025-2783, a Chrome vulnerability that allowed attackers to deploy a new spyware framework known as LeetAgent.
What made LeetAgent unusual was its use of commands written in Leetspeak — a numeric-symbolic language rarely seen in malware. This distinct pattern enabled analysts to link LeetAgent to other advanced spyware strains observed later in the campaign.
“Tracing the origin of commercial spyware often involves following a long trail of code reuse and rebranding,” explained Boris Larin, Principal Security Researcher at Kaspersky GReAT.
Discovery of the Dante Malware
As the investigation progressed, researchers identified a second spyware family known as Dante. This variant was deployed via the same loader used by LeetAgent and shared distinct code similarities with it. Dante employs advanced obfuscation tools such as VMProtect to hinder analysis and evade detection by security researchers.
Comparative code analysis revealed that Dante shares architectural traits with the legacy Remote Control System (RCS) spyware created by HackingTeam, indicating that Memento Labs had adapted and evolved the original framework. In multiple attacks, LeetAgent acted as a delivery mechanism for Dante payloads.
Technical Characteristics and Target Scope
Dante uses an environmental self-check to detect sandbox analysis or monitoring before executing. If investigation tools are present, the malware delays activity to remain undetected. This tactic has helped the group maintain persistence in long-term operations.
- Initial LeetAgent infections traced back to 2022 in Russia and Belarus.
- Leetspeak command syntax rare among advanced persistent threat groups.
- Dante confirmed as an evolution of spyware originating from HackingTeam’s RCS toolset.
The first detected LeetAgent activity was logged by Kaspersky Next XDR Expert. Full technical analysis and updates on ForumTroll and Dante are available to subscribers of the Kaspersky Threat Intelligence Portal.