Italian-made spyware spotted in breaches of Russian, Belarusian systems

A Russian cybersecurity firm said it has found evidence that spyware developed by Italy’s Memento Labs — formerly known as the controversial Hacking Team — was likely used in attacks on organizations in Russia and Belarus.

In a report published Monday, researchers at Kaspersky said they identified the company’s commercial spyware, known as Dante, in multiple attacks linked to a hacking group dubbed ForumTroll.

Kaspersky said there is no evidence of active Dante infections among its customers, and researchers could not determine who commissioned ForumTroll’s operations. It is also unclear how much the attackers might have paid to use the spyware or whether the company was aware of its deployment, the report said.

“Proficiency in Russian and familiarity with local peculiarities are distinctive features of the ForumTroll group, traits that we have also observed in its other campaigns,” the researchers said. “However, mistakes in some of those other cases suggest that the attackers were not native Russian speakers.”

Milan-based Memento Labs did not respond to requests for comment.

The report marks the first documented instance of Dante’s use in real-world cyberattacks since it was unveiled by Memento Labs in 2023 during a closed conference for law enforcement and intelligence agencies, according to researchers.

Kaspersky’s discovery was the byproduct of an investigation into ForumTroll espionage attack in March of this year. The hackers targeted Russian media outlets, universities, research centers, government institutions, and financial organizations with phishing emails disguised as invitations to a well-known Russian scientific and expert forum. 

The attackers sent malicious links that exploited a zero-day vulnerability in Google’s Chrome browser, the researchers said. Kaspersky reported the bug, now tracked as CVE-2025-2783, and Google patched it.

Dante was not used in that campaign, the researchers said, but investigating ForumTroll incidents eventually led Kaspersky to discover the spyware elsewhere.

The most recent ForumTroll campaign included the group’s custom tool, LeetAgent, the researchers said. 

At times, it served as a loader for Dante, which is far more advanced, they said. LeetAgent dates back to at least 2022.

Hacking Team sold intrusion and surveillance tools to government clients worldwide before suffering a massive data leak in 2015. 

The firm was criticized for selling its Remote Control Systems (RCS) spyware to countries with “ongoing serious human rights violations,” according to a report by the digital rights watchdog Citizen Lab. In a 2014 report, Citizen Lab found that RCS was used by at least 20 countries, including Saudi Arabia, Sudan, Mexico, Azerbaijan, Egypt, Hungary, Italy and Kazakhstan.

After the leak, the company was acquired and rebranded as Memento Labs, and it has continued marketing its “intelligence solutions” to law enforcement and intelligence agencies.