On Monday, researchers at the cybersecurity firm Kaspersky published a report identifying a new spyware called Dante. They stated the spyware targeted Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance technology maker formed in 2019. This occurred after a new owner acquired and took over the early spyware maker Hacking Team.
Memento chief executive Paolo Lezzi confirmed to TechCrunch that the spyware detected by Kaspersky does indeed belong to his company. In a call, Lezzi blamed one of the company’s government customers for exposing Dante. He stated the customer used an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year. Lezzi said he thought the government customer did not even use the spyware anymore.
Lezzi, who was unsure which customer was caught, added that Memento had already requested all its customers stop using the Windows malware. He said the company warned customers that Kaspersky had detected Dante spyware infections since December 2024. Memento plans to send another message to all customers on Wednesday asking them once again to stop using its Windows spyware. He also stated that Memento currently only develops spyware for mobile platforms.
The company also develops some zero-days, which are security flaws in software unknown to the vendor that can be used to deliver spyware. However, the company mostly sources its exploits from outside developers, according to Lezzi.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akka would not say which government is behind the espionage campaign, only that it was someone who has been able to use Dante software. Al Akka noted the group stands out for its strong command of Russian and knowledge of local nuances, traits observed in other campaigns linked to this government-backed threat. However, occasional errors suggest the attackers were not native speakers.
In its new report, Kaspersky said it found a hacking group using the Dante spyware that it refers to as ForumTroll. The group targeted people with invites to a Russian politics and economics forum called Primakov Readings. Kaspersky said the hackers targeted a broad range of industries in Russia, including media outlets, universities, and government organizations.
Kaspersky’s discovery of Dante came after the firm detected a wave of cyberattacks with phishing links that were exploiting a zero-day in the Chrome browser. Lezzi said that particular Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento kept improving the spyware originally developed by Hacking Team until 2022, when that spyware was replaced by Dante. Lezzi conceded it is possible that some aspects or behaviors of Memento’s Windows spyware were left over from spyware developed by Hacking Team.
A telltale sign that the spyware belonged to Memento was that the developers allegedly left the word DANTEMARKER in the spyware’s code, a clear reference to the name Dante. Memento had previously and publicly disclosed the name at a surveillance tech conference. Much like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures, such as Leonardo Da Vinci and Galileo Galilei.
In 2019, Lezzi purchased Hacking Team and rebranded it to Memento Labs. According to Lezzi, he paid only one euro for the company with the plan to start over. He stated at the time that they wanted to change absolutely everything and were starting from scratch. A year later, Hacking Team’s CEO and founder David Vincenzetti announced that Hacking Team was dead.
When he acquired Hacking Team, Lezzi told TechCrunch the company only had three government customers remaining. This was a far cry from the more than 40 government customers that Hacking Team had in 2015. That same year, a hacktivist called Phineas Fisher broke into the startup’s servers and siphoned off some 400 gigabytes of internal emails, contracts, documents, and the source code for its spyware.
Before the hack, Hacking Team’s customers in Ethiopia, Morocco, and the United Arab Emirates were caught targeting journalists, critics, and dissidents using the company’s spyware. Once Phineas Fisher published the company’s internal data online, journalists revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians. It was also revealed that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has, but implied it was fewer than 100. He also said there are only two current Memento employees left from Hacking Team’s former staff.
The discovery of Memento’s spyware shows that this type of surveillance technology keeps proliferating, according to John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has investigated spyware abuses for a decade. It also shows that a controversial company can die because of a spectacular hack and several scandals, and yet a new company with brand new spyware can still come out of its ashes. He stated it tells us that we need to keep up the fear of consequences, and it says a lot that echoes of the most radioactive, embarrassed, and hacked brand are still around.