Spyware Maker Memento Labs Confirms Government Customer Malware Use

New Spyware "Dante" Targets Windows Users in Russia and Belarus

Cybersecurity researchers at Kaspersky recently unveiled details of a newly identified spyware program named Dante. This malicious software has been observed targeting individuals utilizing Windows operating systems in Russia and the neighboring country of Belarus.

Origin and Ownership

The report attributes the creation of Dante to Memento Labs, a surveillance technology company based in Milan, Italy. Memento Labs was established in 2019 following an acquisition and subsequent restructuring of the earlier spyware developer, Hacking Team.

Paolo Lezzi, the chief executive of Memento, has acknowledged to TechCrunch that the spyware identified by Kaspersky is indeed a product of their company.

Customer Responsibility and Software Support

Lezzi places the blame for the exposure of Dante on one of Memento’s government clients. He asserts that this client was utilizing an obsolete version of the Windows spyware, which Memento will cease to support by the end of the current year.

“They were evidently employing an agent that was already inactive,” Lezzi explained to TechCrunch, using the term “agent” to denote the spyware installed on a target’s computer.

He further stated his belief that the customer had discontinued use of the software. Memento had already requested its clientele to discontinue the use of this Windows malware.

Current Development Focus

Lezzi indicated that Memento has issued warnings to its customers regarding Kaspersky’s detection of Dante infections since December 2024. A further communication is planned for Wednesday, reiterating the request to cease using the Windows spyware.

Currently, Memento’s development efforts are concentrated on spyware for mobile platforms. The company also develops zero-day exploits – previously unknown security vulnerabilities – though it primarily acquires these from external developers.

Kaspersky's Investigation

Mai Al Akkad, a spokesperson for Kaspersky, declined to identify the government entity believed to be responsible for the espionage campaign when contacted by TechCrunch. However, she confirmed that the perpetrator “possessed the capability to utilize Dante software.”

“The group demonstrates a strong understanding of the Russian language and cultural context, characteristics observed in other campaigns linked to this state-sponsored threat. Nevertheless, occasional linguistic errors suggest the attackers may not be native Russian speakers,” Al Akkad stated.

Targeted Individuals and Industries

Kaspersky’s report details a hacking group, dubbed “ForumTroll,” employing the Dante spyware. This group specifically targeted individuals invited to the Russian politics and economics forum, Primakov Readings.

The attacks encompassed a wide array of sectors within Russia, including media organizations, universities, and government entities.

Connection to Chrome Zero-Day

The discovery of Dante followed Kaspersky’s detection of a surge in cyberattacks utilizing phishing links that exploited a zero-day vulnerability in the Chrome browser. Lezzi clarified that Memento was not involved in the development of this Chrome zero-day.

Evolution from Hacking Team's Technology

Kaspersky researchers concluded that Memento continued to refine the spyware initially developed by Hacking Team until 2022, at which point it was superseded by Dante.

Lezzi acknowledged the possibility that certain “aspects” or “behaviors” of Memento’s Windows spyware may have originated from the earlier Hacking Team software.

Identifying Marker in the Code

A key indicator confirming the spyware’s origin was the inclusion of the string “DANTEMARKER” within the code. This serves as a direct reference to the name Dante, which Memento had previously disclosed publicly at a surveillance technology conference, according to Kaspersky.

Similar to Memento’s Dante spyware, earlier versions of Hacking Team’s spyware, known as Remote Control System, were named after prominent figures from Italian history, such as Leonardo da Vinci and Galileo Galilei.

A Chronicle of Cybersecurity Breaches and Rebranding

In 2019, Alessandro Lezzi completed the acquisition of Hacking Team, subsequently renaming the organization as Memento Labs. Lezzi stated that the purchase price was a symbolic one euro, with the intention of initiating a complete overhaul of the company’s operations.

Following the acquisition, the owner of Memento Labs communicated to Motherboard their ambition to enact comprehensive changes. “A fresh start is what we are aiming for,” he explained.

Just a year later, David Vincenzetti, the CEO and founder of Hacking Team, formally declared the cessation of Hacking Team’s activities.

Upon acquiring Hacking Team, Lezzi informed TechCrunch that the company retained only three governmental clients. This represented a significant reduction from the over 40 government customers Hacking Team served in 2015. That same year, a hacktivist known as Phineas Fisher successfully infiltrated the company’s servers.

This intrusion resulted in the exfiltration of approximately 400 gigabytes of sensitive data, including internal emails, contracts, documentation, and the source code for their spyware.

Prior to the breach, Hacking Team’s clientele in nations such as Ethiopia, Morocco, and the United Arab Emirates were implicated in the targeting of journalists, political critics, and dissidents utilizing the company’s surveillance tools. The subsequent online publication of the stolen data by Phineas Fisher led to revelations.

These revelations included the use of Hacking Team’s spyware by a Mexican regional government to monitor local politicians. Furthermore, it was discovered that Hacking Team had conducted business with countries known for human rights violations, including Bangladesh, Saudi Arabia, and Sudan.

Lezzi refrained from disclosing the current number of Memento Labs’ customers to TechCrunch, but indicated that it was less than 100. He also noted that only two employees from the original Hacking Team staff remain with the company.

The emergence of Memento Labs’ spyware underscores the continued proliferation of surveillance technology, according to John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab with a decade of experience investigating spyware misuse.

The Cycle of Controversy and Reinvention

Scott-Railton also pointed out that even after a company suffers a damaging hack and faces numerous scandals, it is possible for a successor organization with new spyware to emerge from the remnants of the previous entity.

“Maintaining a climate of accountability is crucial,” Scott-Railton conveyed to TechCrunch. “The persistence of a brand so closely associated with controversy and past breaches is a significant observation.”