A brand new international cyber-espionage risk has surfaced with the invention of Dante, a business surveillance device developed by the Italian firm Memento Labs. In your data, Memento Labs is the rebranded entity of the controversial Italian surveillance agency, Hacking Workforce.
The cybersecurity agency Kaspersky unveiled the marketing campaign, named Operation ForumTroll, which first hit targets in March 2025. Kaspersky attributes this assault to a particular risk group it tracks as ForumTroll APT.
Phishing Lure and Zero-Day Assault
The operation started with extremely personalised phishing emails disguised as invites to the ‘Primakov Readings’ worldwide discussion board. These extremely personalised messages focused authorities our bodies, analysis centres, universities, and media organisations, primarily in Russia and Belarus. The aim, in keeping with Kaspersky’s analysis, was clearly espionage.
The an infection began when a recipient clicked a personalised hyperlink. The malicious website ran a fast verify, referred to as a Validator, to verify the sufferer was an actual person earlier than executing the assault. The principle trick concerned exploiting a zero-day vulnerability in Google Chrome. This particular flaw, tracked as CVE-2025-2783, was significantly intelligent: it took benefit of a decades-old error in Home windows to trick Chrome’s safety course of.
By doing this, the attackers managed to bypass all of Chrome’s protecting obstacles (sandbox escape) and achieve full management of the system. Kaspersky reported the problem, main Google to swiftly launch a patch. The intensive listing of earlier zero-day assaults shared by Kaspersky exhibits this can be a steady, troublesome effort to catch such malicious assaults.
Right here’s the listing of in-the-wild Zero-days reported by Kaspersky:
Adobe
- CVE-2014-0497
- CVE-2014-0515
- CVE-2014-0546
- CVE-2016-4171
- CVE-2017-11292
Microsoft
- CVE-2014-4077
- CVE-2015-2360
- CVE-2016-0034
- CVE-2016-0165
- CVE-2016-3393
- CVE-2018-8174
- CVE-2018-8453
- CVE-2018-8589
- CVE-2018-8611
- CVE-2019-0797
- CVE-2019-0859
- CVE-2019-1458
- CVE-2020-0986
- CVE-2020-1380
- CVE-2021-28310
- CVE-2021-31955
- CVE-2021-31956
- CVE-2021-40449
- CVE-2023-28252
- CVE-2024-30051
- CVE-2019-13720
- CVE-2024-4947
- CVE-2025-2783
Apple
- CVE-2023-32434
- CVE-2023-32435
- CVE-2023-38606
- CVE-2023-41990
New Instruments, Outdated Habits: LeetAgent and Dante
As soon as compromised, attackers put in a secret part to make sure persistent entry. They achieved this utilizing a way referred to as Element Object Mannequin (COM) hijacking, which entails manipulating the Home windows registry. By inserting a customized entry within the person’s non-public settings, the attackers compelled respectable Home windows packages to load their malicious code, which then launched the precise spy ware LeetAgent, a device designed to steal information (like paperwork and spreadsheets), run system instructions, and report keystrokes.
Kaspersky’s researchers then discovered a direct operational and code hyperlink between the LeetAgent assaults and a extra highly effective device they recognized as Dante. This connection confirms a key improvement within the business spy ware market. Dante is the brand new surveillance platform from Memento Labs, the corporate created after the notorious Hacking Workforce was acquired and rebranded in 2019.
“We discovered related code shared by the exploit, loader, and Dante. Taken collectively, these findings permit us to conclude that the Operation ForumTroll marketing campaign was additionally carried out utilizing the identical toolset that comes with the Dante spy ware,” researchers famous within the weblog put up.
As per Hackread.com’s earlier protection, Hacking Workforce was based in 2003 and is thought for its highly effective surveillance software program, Da Vinci or Distant Management System (RCS) spy ware. An enormous 2015 knowledge leak compromised their instruments and uncovered inside operations, inflicting their subsequent rebranding.
The invention of Dante (whose title Kaspersky discovered written within the code) and its use by the ForumTroll APT group since not less than 2022 confirms that the business surveillance market is continually adapting. Regardless of the Hacking Workforce’s rebranding, their enterprise of promoting highly effective spying instruments persists.
Researchers counsel that discovering and naming the builders of those superior instruments, a course of referred to as attribution, is essential for addressing the true scope of world cyber-espionage.
