Kaspersky researchers have exposed Operation ForumTroll, a cyber-espionage campaign using “Dante,” a new spyware tool developed by Memento Labs, the rebranded successor of the infamous Hacking Team.

The attacks, active since early 2025, exploited a Google Chrome zero-day vulnerability (CVE-2025-2783) and used Windows COM hijacking for persistence. Targeting government bodies, research institutes, and media outlets in Russia and Belarus, the campaign relied on phishing emails disguised as invitations to a high-profile international forum to deliver its payload.

Once victims clicked the malicious links, attackers used the Chrome flaw to bypass sandbox protections and gain full control of affected systems. From there, they installed hidden components via COM hijacking, which triggered LeetAgent — a spyware module capable of stealing files, recording keystrokes, and executing commands. Further investigation revealed that LeetAgent was part of a larger toolkit tied to Dante, confirming a direct operational link between both tools and Memento Labs’ ongoing commercial surveillance operations.

The discovery underscores how Memento Labs (formerly Hacking Team) continues to evolve despite its controversial past and the 2015 data leak that exposed its tools. Kaspersky’s findings highlight the persistence of the commercial spyware industry, where rebranded entities continue to refine and redeploy sophisticated surveillance platforms for state-sponsored espionage. The case also illustrates the ongoing challenge of identifying — and holding accountable — developers of advanced spying tools used in global cyber-operations.