ForumTroll, researchers identified that the attackers used a spyware

Kaspersky Global Research and Analysis Team (GReAT) has uncovered evidence linking the HackingTeam successor, Memento Labs, to a new wave of cyberespionage attacks. The discovery stems from an investigation into Operation ForumTroll, an Advanced Persistent Threat (APT) campaign that exploited a zero-day vulnerability in Google Chrome. The research was presented at the Security Analyst Summit 2025, taking place in Thailand.

In March 2025, Kaspersky GReAT brought to light Operation ForumTroll, a sophisticated cyberespionage campaign exploiting a Chrome zero-day vulnerability, CVE-2025-2783. The APT group behind the attack sent personalized phishing emails disguised as invitations to the Primakov Readings forum, targeting Russian media outlets, government organizations, educational and financial institutions.

While investigating ForumTroll, researchers identified that the attackers used a spyware LeetAgent, which stood out due to its commands written in leetspeak, a rare feature in APT malware. Further analysis uncovered similarities between its toolset and a more advanced spyware that Kaspersky GReAT has observed in other attacks. After determining that, in some cases, the latter was launched by LeetAgent or that they shared a loader framework, researchers confirmed the connection between the two, as well as between the attacks.

While investigating ForumTroll, researchers identified that the attackers used a spyware LeetAgent, which stood out due to its commands written in leetspeak, a rare feature in APT malware. Further analysis uncovered similarities between its toolset and a more advanced spyware that Kaspersky GReAT has observed in other attacks. After determining that, in some cases, the latter was launched by LeetAgent or that they shared a loader framework, researchers confirmed the connection between the two, as well as between the attacks.

Although the other spyware employed advanced anti-analysis techniques, including VMProtect obfuscation, Kaspersky retrieved the malware’s name from the code and identified it as Dante. The researchers discovered that a commercial spyware with the same name was promoted by Memento Labs, the rebranded successor to HackingTeam. Additionally, the most recent samples of HackingTeam’s Remote Control System spyware, obtained by Kaspersky GReAT, share similarities with Dante.

Kaspersky said the malware infections occurred when victims clicked on personalized phishing links via email. It was disguised as an invitation from organizers of the scientific and expert forum for Primakov Readings, an international summit on global politics and economics.

“No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough,” Kaspersky wrote. “The malicious links were personalized and extremely short-lived to avoid detection.”

By - Aaradhay Sharma