Spyware from notorious hacker group suddenly reappears

Kaspersky's Global Research and Analysis Team (GReAT) has discovered evidence that Memento Labs, the successor company to HackingTeam, is involved in a new wave of cyber espionage attacks.

Specifically, in March 2025, Kaspersky GReAT exposed ForumTroll, a sophisticated cyberespionage campaign that exploited the zero-day vulnerability CVE-2025-2783 in Chrome.

The group behind the campaign sent personalized phishing emails, impersonating invitations to the Primakov Readings forum, targeting media outlets, government, educational and financial organizations in Russia.

During the investigation of the ForumTroll campaign, researchers discovered the LeetAgent spyware (which has been around since 2022).

The software is notable for its control commands written in “leetspeak” – a rare feature in APT (advanced-targeted-attack) malware.

From observing and analyzing a number of cases, experts determined that LeetAgent was the tool that launched the sophisticated spyware, or both used the same loader framework, the loading frame that hackers used to download, activate or deploy other malicious code components into the victim's system.

Thanks to that, experts have confirmed the connection between the two types of malware as well as the connection between the attacks.

The remaining spyware hides its malware using advanced anti-analysis techniques, including VMProtect obfuscation technology. However, Kaspersky experts were able to extract the malware's name from the source code, Dante.

Researchers identified Dante as the name of a commercial spyware developed and promoted by Memento Labs, the successor and rebranded company of HackingTeam.

Additionally, the latest samples of HackingTeam's spyware Remote Control System (RCS) obtained by Kaspersky also show a clear resemblance to Dante.

The existence of commercial spyware vendors is still widely known in the industry, said Boris Larin, Head of Security Research at Kaspersky GReAT.

However, it is not easy to get a hold of these vendors' products, especially in targeted attacks.

"To find the origin of Dante, we had to peel back each layer of the obfuscated malware, follow a few rare traces throughout the years of development of the malware, and cross-reference it to find the origin," Boris Larin revealed.

The hacker group, called HackingTeam, was founded in 2003 by a number of Italians. According to researchers, the group is known for its proficiency in Russian and deep understanding of the local context.

Source: https://nld.com.vn/phan-mem-gian-diep-cua-nhom-hacker-khet-tieng-bat-ngo-xuat-hien-tro-lai-196251121182602181.htm