A sophisticated cyber-espionage campaign exploiting a Google Chrome zero-day vulnerability has been traced to Memento Labs, an Italian spyware vendor that evolved from the infamous Hacking Team. The operation, dubbed Operation ForumTroll, was uncovered earlier this year by Kaspersky researchers and has since exposed a complex malware ecosystem designed to target high-value organizations in Russia and Belarus.
According to Kaspersky’s new technical report, Operation ForumTroll used a sandbox escape vulnerability (CVE-2025-2783) in Google Chrome to deliver custom spyware through phishing emails disguised as invitations to the “Primakov Readings” forum. The attackers used short-lived, personalized links to lure their targets—journalists, university researchers, government entities, and financial institutions—into loading malicious pages. Simply visiting these sites in any Chromium-based browser was enough to trigger the exploit and compromise the system.
Once the zero-day exploit was executed, the attackers deployed a persistent loader that injected a malicious DLL, which decrypted and installed the LeetAgent spyware payload. LeetAgent is a modular surveillance tool capable of executing shell commands, logging keystrokes, stealing files, and monitoring user activity. What makes LeetAgent particularly notable, according to Kaspersky, is its “leetspeak” coding style used in command implementation—suggesting a deliberate attempt to obfuscate its behavior and evade detection.
Further investigation revealed that LeetAgent was only the first stage of the attack. It was often used to deliver a second piece of spyware known as Dante, a highly advanced surveillance platform attributed to Memento Labs. Researchers traced Dante back to 2022, identifying striking code overlaps with Hacking Team’s Remote Control System (RCS) malware—software once sold to law enforcement and intelligence agencies worldwide before the company’s 2015 breach exposed unethical client relationships with authoritarian regimes.
Memento Labs, formed in 2019 when InTheCyber Group acquired Hacking Team’s assets, has since rebranded itself as a legitimate cybersecurity firm. However, Kaspersky’s findings suggest that its tools continue to be used for offensive cyber operations under the guise of lawful surveillance. The Dante spyware operates as a modular framework, dynamically fetching components from command-and-control (C2) servers. Notably, if communication with the C2 infrastructure is lost for a set period, the malware is designed to self-delete, effectively erasing all traces of its presence.
Although Kaspersky confidently attributes Dante to Memento Labs, the developer of the Chrome zero-day (CVE-2025-2783) remains unidentified. Analysts speculate that the exploit could have originated from a third-party exploit broker or a collaborating state actor. The vulnerability has since been patched in Google Chrome version 134.0.6998.178 and Mozilla Firefox version 136.0.4, which fixed a related flaw (CVE-2025-2857).
The reappearance of actors linked to Hacking Team underscores the persistent risks posed by commercial spyware vendors operating in the global marketplace. Despite regulatory scrutiny, these companies continue to develop and sell intrusion tools capable of targeting political figures, journalists, and corporations under the banner of lawful surveillance.
Conclusion:
The Operation ForumTroll investigation highlights the blurred lines between cybersecurity and cyber-espionage. While vulnerabilities like CVE-2025-2783 demonstrate the technical sophistication of modern attacks, the involvement of legacy spyware vendors like Memento Labs raises serious ethical and geopolitical questions. As nations race to secure digital sovereignty, the ability to exploit or defend against such advanced tools will continue to shape the future of global cybersecurity.
