Pierluigi Paganini
October 27, 2025
The actor behind Operation ForumTroll used the same tools seen in Dante spyware attacks. Kaspersky researchers linked the first Chrome zero-day of 2025 (CVE-2025-2783), a sandbox escape flaw, to the arsenal of Hacking Team. The vulnerability was exploited in a state-sponsored cyber-espionage campaign. A similar flaw, tracked as CVE-2025-2857, also impacted Firefox.
In March 2025, Kaspersky discovered targeted phishing campaigns using short-lived links that infected users simply by visiting them in Chrome. The attack exploited a previously unknown zero-day sandbox escape flaw. Kaspersky reported the issue to Google, which patched it as CVE-2025-2783.
Operation ForumTroll phishing campaign targeted Russian and Belarusian media, research, and government entities under the guise of the Primakov Readings forum. Kaspersky traced the malware back to 2022, linking it to the Italian company Memento Labs (formerly Hacking Team) and its commercial spyware “Dante,” used for cyber espionage.
The malicious sites verified the victims and executed exploits. Kaspersky reconstructed the attack chain from early artifacts, noting that the emails were well-crafted, in Russian, and tailored to appear authentic, though minor errors suggested the attackers were likely not native Russian speakers.
Kaspersky analyzed a sophisticated attack leveraging a validator script in browsers to verify victims and securely download the next stage, using WebGPU to confirm real users. The validator exchanged keys with the C2 server via Elliptic-curve Diffie–Hellman (ECDH) algorithm, decrypting payloads hidden in JS and font files, though the expected Chrome RCE exploit was not retrieved. The related zero-day, CVE-2025-2783, exploited a sandbox escape in Chrome by misusing Windows pseudo handles (-1, -2), allowing attackers to execute shellcode in the browser process. The flaw stemmed from Chrome’s IPC handling via Mojo/ipcz libraries, enabling attackers to bypass sandbox protections, execute payloads, and install malware loaders.
Attackers achieved persistence via COM hijacking, overriding a CLSID to load a malicious DLL into system processes and browsers. The loader decrypts a ChaCha20-based main payload and runs shellcode. The spyware, dubbed LeetAgent supports commands written in leetspeak codes and connects to HTTPS C2s (often hosted via Fastly) to receive numeric commands for running shells, executing files, injecting code, and managing tasks. The malicious code also runs background keylogging and file‑stealing (looking for Office/PDF files). LeetAgent uses TLV-config data XOR‑encoded for C2 settings and extensive traffic‑obfuscation options, researchers pointed out it can download additional tools on demand.
Researchers traced ForumTroll activity back to 2022 and found two related clusters: one used custom LeetAgent spyware, the other ran a far more advanced commercial implant. Both started with spear-phishing that delivered tailored attachments, and both used the same COM-hijack persistence and similar file paths, which pointed analysts to a connection. After unpacking and deobfuscating the advanced implant, analysts identified it as Dante from Memento Labs (formerly Hacking Team). Dante uses heavy obfuscation (VMProtect), anti-debug and anti-sandbox checks, and an orchestrator that decrypts and loads AES-encrypted modules bound to the host. The orchestrator manages HTTPS C2, module handling, self-protection and self-removal. Investigators found code overlaps between Dante, legacy RCS samples and the campaign’s exploit and loader, which strengthened attribution to Memento Labs and showed attackers reused a commercial spyware toolkit across ForumTroll operations.
“The problem with detecting and attributing commercial spyware is that vendors typically don’t include their copyright information or product names in their exploits and malware. In the case of the Dante spyware, however, attribution was simple once we got rid of VMProtect’s obfuscation and found the malware name in the code.” reads the report published by Kaspersky. “We then searched for and identified the most recent samples of Hacking Team’s Remote Control Systems (RCS) spyware. Memento Labs kept improving its codebase until 2022, when it was replaced by Dante. Even with the introduction of the new malware, however, not everything was built from scratch; the later RCS samples share quite a few similarities with Dante. All these findings make us very confident in our attribution.”
Kaspersky’s researchers drew three main conclusions: (1) the Windows API function DuplicateHandle poses risks if privileged processes mishandle pseudo-handles; (2) attribution remains the hardest yet most rewarding aspect of threat intelligence, likened to solving a detective mystery; and (3) despite Memento Labs’ (ex-Hacking Team) 2019 reboot, the Dante spyware discovery suggests it may need to start over again.
Kaspersky published a list of indicators of compromise for this threat.
“Similarities in the code suggest that the Operation ForumTroll campaign was also carried out using tools developed by Memento Labs.” concludes the report.
If you want to learn more about the history of Hacking Team and Memento Labs, I suggest taking a look at the financial statements of both companies. These figures could likely shed light on the real transition between the two entities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Memento Labs)
