Kaspersky researchers have for the first time discovered the use of Dante spyware in real‑world attacks, developed by the Italian company Memento Labs (formerly Hacking Team). They were able to track the malware’s activity through an analysis of Operation “Forum Troll,” which targeted employees of Russian organizations.
Hacking Team is one of the oldest spyware vendors. The company was founded in 2003 and specialized in developing and selling “lawful” spyware. Hacking Team’s flagship product was the Remote Control Systems (RCS) spyware, used by government agencies around the world. The spyware allowed downloading files from an infected computer, intercepting emails and messages, and remotely controlling the webcam and microphone.
However, Hacking Team became widely known in 2015, when it fell victim to a hack, resulting in more than 400 GB of data leaking online, including the source code of its spyware and the company’s internal documents. As a result, Hacking Team was forced to ask its clients to suspend use of RCS.
In 2019, Hacking Team was acquired by InTheCyber Group, after which it was renamed Memento Labs. Four years later, at the ISS World MEA 2023 conference for law enforcement and intelligence agencies, the company announced a new piece of spyware — Dante. However, this malware has not yet been observed in real-world attacks, and little was known about its capabilities.
Hacking Team and “Forum Troll”
Researchers note that in March 2025 they uncovered a sophisticated targeted campaign dubbed Operation “Forum Troll”. This APT attack leveraged a zero-day exploit chain and a 0-day vulnerability in the Chrome browser (CVE-2025-2783).
At the time, the attackers sent personalized phishing emails to employees of media outlets, as well as government, educational, and financial institutions in Russia, inviting them to take part in the Primakov Readings scientific and expert forum.
If the victim followed the link and opened the Chrome browser, the device became infected. No further action was required from the user, and the primary goal of this campaign was cyberespionage.
Experts now say that the LeetAgent spyware was used in Operation “Forum Troll.” All commands were written in Leet (leetspeak), which is rare in sophisticated targeted attacks. Continuing the investigation, the researchers traced LeetAgent activity back to 2022 and identified other attacks by the same group targeting organizations and individuals in Russia and Belarus.
While examining the arsenal of these attackers, researchers discovered a previously unknown piece of malware. It soon became clear that this was none other than Dante, a commercial spyware developed by the Italian company Memento Labs.
Dante
The “Dante” string found in the malware code was not the only basis for the researchers’ attribution. For example, a reference to the name Dante and version 2.0 was found, which matches the title of Memento Labs’ presentation at the aforementioned conference.
Analysis also showed that Dante and some of the tools used in Operation “Forum Troll” contained similar code, which means these tools were also developed by Memento Labs.
Experts report that the spyware is packed using the VMProtect tool, which obfuscates control flow, hides imported functions, and adds checks for execution in a debugging environment.
To thwart dynamic analysis, Dante uses the following anti-hook technique: when it needs to execute an API function, the malware resolves its address using a hash, parses its code to extract the system call number, and then creates a new function for the system call and uses it.
In addition to VMProtect’s anti-debugging techniques, Dante uses common methods for detecting debuggers. In particular, it checks the debug registers (Dr0–Dr7) using the NtGetContextThread function, inspects the KdDebuggerEnabled field in the KUSER_SHARED_DATA structure, and detects debugging environments via the NtQueryInformationProcess function by querying the ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle, and ProcessTlsInformation classes.
To evade detection, Dante uses an interesting method of environment checking to determine whether it is safe to continue running: it searches the Windows Event Logs for events that may indicate the use of analysis tools or virtual machines (at the host or guest level).
In addition, the malware performs several checks to detect sandbox execution: it looks for “bad” libraries, measures the execution time of the sleep() function and the cpuid instruction, and also inspects the file system.
After all checks, Dante decrypts the configuration and the orchestrator, finds the string “DANTEMARKER” in the latter, writes the configuration in its place, and launches the orchestrator.
The configuration is stored in the data section and is decrypted using a simple XOR cipher. The orchestrator resides in the resources section and masquerades as a font file. Dante can also load the orchestrator from the file system if an updated version is available.
Analysts note that the orchestrator’s code quality is on par with a commercial product, but on its own it is not of much interest. It handles communication with command-and-control (C2) servers over HTTPS, module and configuration management, self-protection, and self-removal.
Modules can be saved to the file system and loaded from there, or loaded from memory. To compute the path to the modules folder, parts of a string obtained by Base64-encoding the infection identifier (GUID) are used. The path to additional settings stored in the registry is derived in the same way.
For self-protection, the orchestrator uses many of the techniques described above, as well as checks for the presence of certain process names and drivers.
If Dante does not receive commands within the number of days specified in the configuration, the malware deletes itself and all traces of its activity.
At the time of writing the report, researchers were unable to examine additional modules, since there were no active Dante infections among users.
“The creators of spyware are well known to cybersecurity professionals. However, malicious programs can be difficult to identify and attribute to a specific group, especially in targeted attacks. To establish Dante’s origin, we had to work through several layers of obfuscated code, track clear signs of its use over the course of several years, and correlate them with possible creators. It seems the malware’s developers didn’t choose the name Dante by accident, since anyone trying to unravel its origins is in for a hard journey,” comments Boris Larin, lead expert at Kaspersky GReAT.