The Global Research and Analysis Team (GReAT) at Kaspersky has uncovered a sophisticated cyber-espionage campaign, codenamed Operation ForumTroll, that exploited a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, active since March 2025, used spear-phishing emails disguised as invitations to the Primakov Readings forum to target Russian media outlets, government entities, educational institutions, and financial organisations.
Researchers linked the operation to Memento Labs, the successor to the infamous Italian spyware vendor HackingTeam, known for its commercial surveillance tools used in state-sponsored espionage. The new campaign appears to mark the re-emergence of HackingTeam’s malware lineage after years of inactivity.
A Complex Chain: From Browser Exploit to Spyware Deployment
According to Kaspersky, attackers used the Chrome zero-day to bypass sandbox restrictions with no user action required beyond clicking a malicious link. The payload installed a spyware named LeetAgent, which acted as a loader for a more advanced module called Dante — a successor to HackingTeam’s Remote Control System malware.
The Dante spyware employs high-level anti-analysis and obfuscation techniques, including VMProtect-based code wrapping and environmental checks to avoid detection. Once deployed, it enables long-term surveillance by exfiltrating files, capturing communications, and executing commands remotely.
Kaspersky’s analysis revealed significant code similarities between Dante and earlier HackingTeam frameworks, confirming continuity in design philosophy and tool evolution under Memento Labs.
“Uncovering Dante’s origin demanded peeling back layers of heavily obfuscated code and tracing rare fingerprints across years of malware evolution,” said Boris Larin, Principal Security Researcher, Kaspersky GReAT. “It truly lives up to its name — a descent into the depths of hidden cyber operations.”
Commercial Spyware and APT Collaboration
The campaign’s structure and precision suggest coordination between commercial spyware vendors and advanced persistent threat (APT) groups. ForumTroll’s operators demonstrated a deep understanding of Russian-language environments but made linguistic errors that hint at non-native proficiency.
The attack relied on a multi-stage infection chain, where a phishing lure delivered LeetAgent, which in turn deployed Dante for persistent access and data collection. This layered design reflects a professional espionage framework that blends commercial malware capabilities with APT-style targeting.
Kaspersky said the findings highlight how private surveillance vendors continue to influence the global threat landscape, offering modular spyware tools to state-linked customers. The company has published indicators of compromise (IOCs) and detailed technical documentation on the Kaspersky Threat Intelligence Portal and presented its findings at the 2025 Security Analyst Summit.
Rising Risk of Commercial Espionage Tools
Security experts warn that operations like ForumTroll demonstrate the blurring lines between nation-state and private-sector cyber capabilities. Browser-based zero-days paired with commercial spyware represent one of the most difficult attack classes to detect and attribute.
Kaspersky’s research reinforces calls for international regulation of spyware exports, as surveillance tools increasingly reappear under new corporate entities despite prior shutdowns or sanctions.
