Mem3nt0 mori – The Hacking Team is back!

SUMMARY :

Kaspersky researchers uncovered a sophisticated attack campaign dubbed Operation ForumTroll, targeting organizations in Russia and Belarus. The campaign utilized a zero-day exploit (CVE-2025-2783) in Google Chrome to deliver spyware. Further investigation revealed connections to previously unknown commercial spyware called Dante, developed by Memento Labs (formerly Hacking Team). The researchers traced the malware back to 2022 and found similarities in code and tactics between the ForumTroll campaign and Dante spyware attacks. The discovery sheds light on the continued operations of the rebranded Hacking Team and their new surveillance tool.

OPENCTI LABELS :

zero-day,sandbox escape,dante,leetagent


AI COMMENTARY :

1. Mem3nt0 mori – The Hacking Team is back! In a chilling reminder that no adversary ever truly disappears, Kaspersky researchers have lifted the veil on Operation ForumTroll, a clandestine attack campaign aimed squarely at organizations in Russia and Belarus. The operation leveraged a high-stakes zero-day vulnerability in Google Chrome (CVE-2025-2783) to infiltrate secure environments and deploy advanced spyware under the guise of benign content. As the dust settles on this revelation, it becomes evident that the players behind this campaign have reemerged from the shadows, rebranded and more determined than ever to extend their surveillance reach.

2. Operation ForumTroll’s modus operandi involved carefully crafted spear-phishing lures that directed targets to malicious landing pages. Once a user engaged, the exploit chain initiated a sandbox escape, granting the attackers unfettered control over the compromised machine. This escape technique was both subtle and sophisticated, bypassing security mechanisms designed to contain untrusted code. The use of a zero-day exploit in such a manner underscores the attackers’ technical prowess and their willingness to invest in novel vulnerabilities to achieve stealthy persistence.

3. Detailed forensic analysis revealed that the delivery mechanism served as a vehicle for an unfamiliar strain of spyware known as Dante. Initially uncovered in attacks dating back to 2022, Dante exhibits striking parallels in code architecture and operational tactics to those previously attributed to Hacking Team’s notorious LeetAgent toolkit. Hacking Team, a commercial spyware vendor that once courted law enforcement agencies and autocratic regimes, had disbanded under pressure a few years prior. Yet, the emergence of Dante under the banner of Memento Labs signals a strategic phoenix-like revival of the same mercenary surveillance ethos.

4. Researchers traced Dante’s evolution through successive versions that refined its command-and-control communication, data exfiltration routines, and evasion strategies. The RESTful C2 channels incorporate encrypted payloads that blend seamlessly with legitimate traffic, making detection exceptionally challenging. The malware’s modules facilitate microphone and camera capture, keystroke logging, and remote desktop control. These capabilities mirror those of LeetAgent but are enhanced with additional layers of encryption and modular deployment to thwart sandbox analysis and signature-based defenses.

5. The broader implications of Operation ForumTroll extend beyond the immediate targets in Russia and Belarus. The rebranding of Hacking Team into Memento Labs, along with the development of Dante, suggests a persistent commercial appetite for high-end intrusion tools. Organizations worldwide must take heed of the enduring threat posed by well-resourced spyware vendors. Threat intelligence teams should prioritize monitoring for indicators associated with CVE-2025-2783 exploitation and sandbox escape attempts, while strengthening network segmentation and adopting behavioral-analysis platforms capable of spotting anomalous C2 communications.

6. As the cybersecurity community digests the details of this operation, collaboration and information sharing become paramount. The unveiling of Operation ForumTroll serves as a call to action for defenders to sharpen their defenses against zero-day exploits and sophisticated spyware frameworks. By learning from the tactics of Memento Labs and its Dante payload, security teams can better anticipate the next evolution in commercial surveillance malware and mount a more resilient defense against the threats that lie ahead.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Mem3nt0 mori – The Hacking Team is back!