A newly uncovered cyber-espionage operation known as Operation ForumTroll has revealed the resurgence of commercial spyware in state-sponsored surveillance campaigns. According to new research from Kaspersky, the campaign exploited a Google Chrome zero-day vulnerability (CVE-2025-2783) and targeted Russian and Belarusian organizations in government, research, and media sectors. The attacks were traced to tools developed by Memento Labs, the Italian surveillance vendor formerly known as the Hacking Team, whose legacy spyware once sparked global controversy for being sold to authoritarian regimes.
The operation began with highly tailored phishing emails disguised as invitations to the “Primakov Readings” — a major international policy forum — luring recipients into visiting short-lived malicious links. Once clicked, victims were redirected to a drive-by exploit that leveraged the Chrome sandbox escape vulnerability, allowing attackers to execute code on the underlying operating system. Kaspersky’s researchers later identified a similar flaw in Firefox (CVE-2025-2857), broadening the attack surface for the same threat actors.
Once inside, the attackers deployed a dual-implant structure: a custom spyware loader named LeetAgent, and a far more advanced commercial implant called Dante, developed by Memento Labs. Both tools shared identical persistence mechanisms, specifically COM hijacking, a telltale indicator linking the two. While LeetAgent operated as a modular espionage platform capable of keylogging, code injection, and document theft, the Dante implant exhibited industrial-grade sophistication. Protected by VMProtect obfuscation, Dante was found to contain a central orchestrator module that decrypts and loads AES-encrypted payloads, all bound cryptographically to a specific victim machine—ensuring the spyware could not run elsewhere.
Forensic analysis uncovered unmistakable evidence connecting Dante to Hacking Team’s legacy Remote Control Systems (RCS) spyware. Once researchers removed the VMProtect layer, the name “Dante” appeared directly in the code, confirming its lineage. This finding completes a technological chain linking Memento Labs’ “rebooted” surveillance suite to the same underlying codebase once used by Hacking Team—a company whose previous exposure in 2015 caused international uproar.
The technical core of Operation ForumTroll rested on CVE-2025-2783, a flaw in Chrome’s Inter-Process Communication (IPC) framework that mishandled Windows pseudo-handles. This allowed attackers to exploit a logic error and execute arbitrary code outside the browser’s sandbox, achieving full system compromise. Before triggering the exploit, the attackers ran an intricate validation process using WebGPU-based hardware checks and ECDH encryption to ensure the victim was a genuine human target, not a researcher or sandbox system—a sophisticated evasion method rarely seen in commercial spyware delivery.
Kaspersky’s attribution of Operation ForumTroll to Memento Labs represents one of the clearest connections yet between a commercial surveillance vendor and a state-backed cyber operation. The exposure carries significant implications for the spyware industry, signaling that tools developed under the guise of “lawful interception” continue to reappear in covert geopolitical campaigns. Analysts believe this revelation may force Memento Labs to re-engineer its flagship Dante suite, much as it did when rebranding from Hacking Team years earlier.
This operation serves as a powerful reminder of the blurred boundaries between private surveillance companies and state cyber operations—and how vulnerabilities in everyday software can be weaponized through the global spyware market. A full list of Indicators of Compromise (IoCs) from the campaign has been released by Kaspersky to help defenders detect and mitigate related threats.
#OperationForumTroll #MementoLabs #HackingTeam #DanteSpyware #LeetAgent #CVE20252783 #ChromeZeroDay #CyberEspionage #Kaspersky #CommercialSpyware #CVE20252857 #Cybersecurity #SpywareMarket #ThreatIntelligence #ZeroDayExploit #APT #SurveillanceTechnology #CyberDefense #Infosec
