Oct 28, 2025
3 min read
Kaspersky discovered that Hacktor's housekeeper, Mise Monto, joined the cyber wave.
Kaspersky SAS 2025: GreAT detects connections to Dante spyware and Memento Labs.
At the Kaspersky Security Analyst 2025 summit in Thailand, researchers from the elite Kaspersky Global Research and Analysis Team (GReAT) revealed that Memento Labs, a successor to the HackingTeam group, is linked to a wave of cyberespionage attacks including Operation ForumTroll that occurred earlier in March 2025.
For the unusual, operating the motumroll is a better Cyberepioge Alpatages idea replaced by the better kasperky.
The campaign avoided the zero-to-zero-2025-2783 vulnerability and saw an advanced threat group.Although the attackers displayed strong language skills and cultural knowledge, subtle errors suggested that they were not native speakers.
GReAT found the trace - LeetAgent, Dante and Memento Labs
When analyzing the attacks, researchers saw one particular detail – the use of LeetAgent spyware that uses commands written in Leetspeak, a very rare feature in APT malware.
Kaspersky GReAT researchers discovered LeetAgent's bootloader framework — the component responsible for launching and deploying the malware payload — shared strong similarities with the framework used in other, more sophisticated spyware tools.
The researchers concluded that this similarity in design and loader architecture suggests that LeetAgent and this sophisticated malware may be linked and may have a common development origin.
The spyware also uses advanced anti-analysis techniques, including VMProtect obfuscation as well as a sophisticated environmental check to determine if it can operate safely.
The breakthrough came when Kaspersky identified a spyware name in its code, identified as Dante, and linked it to a commercial spyware product sold by Memento Labs, the aforementioned HackingTeam successor.Similarities between Dante and HackingTeam's RCS (Remote Control System) spyware further strengthened the connection between LeetAgent, Dante and Memento Labs.
“While the existence of spyware vendors is well-known in the industry, their products remain elusive, particularly in targeted attacks where identification is exceptionally challenging. Uncovering Dante’s origin demanded peeling back layers of heavily obfuscated code, tracing a handful of rare fingerprints across years of malware evolution, and correlating them with a corporate lineage. Maybe it is the reason they called it Dante, there is a hell of a journey for anyone who would try to find its roots,” said Boris Larin, principal security researcher at Kaspersky GReAT. For additional in-depth insight into Dante and ForumTroll APT, users can sign up to the Kaspersky Threat Intelligence Portal here.
