Italian spy ware vendor linked to Chrome zero-day assaults

A zero-day vulnerability in Google Chrome, exploited in Operation ForumTroll earlier this 12 months, delivered malware linked to Italian spy ware vendor Memento Labs, born after IntheCyber ​​Group acquired the notorious Hacking Staff.

Operation ForumTroll was uncovered by Kaspersky in March. The marketing campaign focused Russian organizations – media retailers, universities, analysis facilities, authorities organizations, and monetary establishments, with well-crafted invites to the Primakov Readings discussion board that contained a malicious hyperlink.

Loading the hyperlink in any Chromium-based internet browser was sufficient to contaminate the pc system. Kaspersky researchers stated that the malware supply was completed by exploiting CVE-2025-2783, a sandbox escape zero-day within the Chrome browser.

In a report as we speak, Kaspersky printed extra particulars in regards to the assault chain utilized in Operation ForumTroll, saying that the malware used within the marketing campaign dates again to no less than 2022 and led to the invention of different assaults on organizations in Russia and Belarus.

Analyzing the outdated assaults, the researchers discovered “an unknown piece of malware that we recognized as business spy ware referred to as “Dante” and developed by the Italian firm Memento Labs.”

Memento Labs is the title of a brand new firm constructed on the analysis and experience of the previous ‘Hacking Staff,’ a Milan-based spy ware vendor beforehand identified for its Distant Management System (RCS) bought to authorities as a surveillance software.

Hacking Staff was breached in 2015, and the incident sealed the corporate’s destiny because it revealed gross sales to authoritarian regimes, entry to zero-day exploits, and interplay with authorities intelligence shoppers.

In 2019, the agency was acquired by InTheCyber Group, which used Hacking Staff’s property to kind Memento Labs.

4 years later, on the ISS World Center East and Africa convention, Memento Labs offered its new Dante spy ware, though the main points remained personal.

LeetAgent and Dante

Operation ForumTroll assaults begin with a phishing e mail with a customized, short-lived hyperlink to the malicious web site, the place a validator script filters guests to ensure that solely targets of curiosity are compromised.

On the following step, the attackers exploited CVE-2025-2783 to attain shellcode execution on the sufferer’s browser course of and set up a persistent loader to inject a malicious DLL.

The DLL decrypted the principle payload referred to as LeetAgent, a modular spy ware that helps command execution, file operations, keylogging, and information theft.

Kaspersky researchers be aware that LeetAgent is exclusive for its use of leetspeak in command implementation, and imagine that it may also be a business spy ware software.

The researchers traced the usage of LeetAgent to the assaults in 2022 towards targets in Russia and Belarus. In some instances, LeetAgent was used to introduce Dante.

Attributable to Dante’s code similarities with Hacking Staff’s RCS malware, Kaspersky researchers have excessive confidence in attributing the instruments to Memento Labs.

Dante is a modular spy ware that retrieves elements from a command-and-control (C2) server. If no communication is acquired from the attacker’s server for a specified variety of days, the malware “deletes itself and all traces of its exercise.”

The researchers couldn’t retrieve any modules for evaluation, so the particular options and capabilities of the Dante spy ware stay undocumented.

It is very important be aware that whereas Kaspersky attributed the superior spy ware to Memento Labs with excessive confidence, the writer of the Chrome sandbox-escape zero-day may very well be a distinct entity.

Chrome mounted CVE-2025-2783 in model 134.0.6998.178, launched on March 26. Mozilla additionally addressed the difficulty in Firefox, tracked as CVE-2025-2857, in model 136.0.4 of the browser.

BleepingComputer has contacted Memento Labs with a request for a touch upon Kaspersky’s findings, however didn’t obtain a response by publishing time.