In March 2025, Kaspersky researchers uncovered an advanced cyber-espionage operation that exploited a zero-day vulnerability in Google Chrome (CVE-2025-2783) to infiltrate high-profile targets. The campaign, dubbed “Operation ForumTroll,” relied on highly personalized phishing emails that required no downloads or clicks beyond visiting a malicious website, a stark reminder of how stealthy modern attacks have become.
According to Kaspersky, this operation wasn’t just another cybercrime wave. It revealed deep ties to Memento Labs, formerly the notorious Hacking Team, and exposed the reemergence of its commercial spyware known as Dante, a successor to the infamous “Da Vinci” surveillance platform once sold to governments around the world.
The ForumTroll Campaign: Phishing for Intelligence
The campaign began with customized phishing emails masquerading as invitations to the Primakov Readings, a prestigious forum targeting Russian media outlets, universities, research institutes, and financial organizations. Simply opening the malicious link through Chrome was enough to trigger infection — no file downloads, no user confirmation.
Once activated, the exploit escaped Chrome’s sandbox, exploiting a rare logic flaw in Windows that allowed attackers to execute code in the browser’s core process. This vulnerability, CVE-2025-2783, was reported by Kaspersky and promptly patched by Google. Soon after, Mozilla fixed a similar issue (CVE-2025-2857) affecting Firefox, confirming the flaw’s systemic nature.
A Modern Espionage Toolkit
The malicious chain used multiple payloads, the most notable being LeetAgent, a spyware with command functions written in leetspeak , an unusual quirk in advanced persistent threats (APTs). LeetAgent could log keystrokes, steal documents, and execute remote commands, giving attackers full surveillance capability on infected systems.
Further investigation uncovered another, more sophisticated malware strain operating alongside LeetAgent, a piece of commercial spyware called “Dante,” built by the Italian company Memento Labs. Kaspersky’s analysis confirmed that Dante was directly linked to the now-defunct Hacking Team, infamous for providing offensive cyber tools to governments before its collapse following a massive 2015 data leak.
The Resurrection of Hacking Team: Enter Dante
Once considered a relic of the surveillance-for-hire era, Hacking Team has reemerged under a new name and a new product. Acquired in 2019 and rebranded as Memento Labs, the company claimed to start fresh, but the discovery of Dante shows continuity in both code and intent.
At the ISS World MEA 2023 conference, Memento Labs quietly unveiled Dante as a next-generation lawful interception tool for intelligence agencies. However, Kaspersky’s findings show it in real-world espionage operations, not confined to legal use.
Packed with anti-debugging, anti-sandbox, and VM detection mechanisms, Dante’s architecture is designed for stealth and persistence. It encrypts modules using AES-256 and ties infections to individual devices via BIOS UUID, making forensic recovery complex. Its resilience and modular design reveal the hallmarks of a mature, commercially engineered product.
Why It Matters: The Blurred Line Between Spyware and APTs
Operation ForumTroll exposes more than a sophisticated hack — it shines a light on the growing convergence between government surveillance and private spyware markets. With commercial tools now reaching APT-level sophistication, the line separating nation-state operations from corporate espionage is increasingly faint.
For organizations across the Middle East and Africa (MEA), regions often targeted for their geopolitical and economic significance, this finding is particularly significant. Commercial spyware, once thought to be limited to intelligence agencies, can now be repurposed or resold in shadow markets, putting businesses, journalists, and governments at risk.
As Dante resurfaces, so does a familiar question: how many more surveillance tools are quietly operating under the radar, masked by legitimate contracts and state interests?
10 Recommended Actions for Security Teams
- Patch browsers immediately — apply the latest Chrome and Firefox updates to fix CVE-2025-2783 and CVE-2025-2857.
- Monitor phishing vectors — deploy Saintynet Cybersecurity tools for early detection of personalized spear-phishing attacks.
- Educate users — conduct regular cybersecurity awareness training to identify social engineering tactics.
- Audit browser extensions and configurations for unauthorized plugins or abnormal network behavior.
- Restrict admin privileges to minimize the impact of potential sandbox escapes.
- Implement threat intelligence feeds to stay informed about new APT and spyware campaigns.
- Segment networks to contain infections and prevent lateral movement.
- Deploy advanced endpoint protection capable of detecting obfuscated payloads and COM hijacking attempts.
- Run regular threat-hunting exercises focusing on persistent and stealthy infection methods.
- Collaborate regionally and internationally — share indicators of compromise (IOCs) and best practices within trusted industry circles.
Conclusion:
The discovery of Operation ForumTroll and Dante spyware underscores how today’s espionage landscape is no longer the domain of elite hackers alone. With commercial spyware reborn under new names and advanced evasion tactics, cyber trust and transparency are under threat like never before.
Kaspersky’s investigation is a reminder that old players never truly disappear, they evolve, adapt, and resurface in new forms. For defenders, the message is clear: stay patched, stay vigilant, and stay collaborative. The next “ForumTroll” may already be lurking, only more polished, more private, and far harder to detect.
