A zero-day vulnerability in Google Chrome, exploited in Operation ForumTroll earlier this year, delivered malware linked to Italian spyware vendor Memento Labs, born after IntheCyber Group acquired the infamous Hacking Team.
Operation ForumTroll was uncovered by Kaspersky in March. The campaign targeted Russian organizations - media outlets, universities, research centers, government organizations, and financial institutions, with well-crafted invitations to the Primakov Readings forum that contained a malicious link.
Loading the link in any Chromium-based web browser was enough to infect the computer system. Kaspersky researchers said that the malware delivery was done by exploiting CVE-2025-2783, a sandbox escape zero-day in the Chrome browser.
Sample email from the ForumTroll attacks
Source: Kaspersky
In a report today, Kaspersky published more details about the attack chain used in Operation ForumTroll, saying that the malware used in the campaign dates back to at least 2022 and led to the discovery of other attacks on organizations in Russia and Belarus.
Analyzing the old attacks, the researchers found "an unknown piece of malware that we identified as commercial spyware called “Dante” and developed by the Italian company Memento Labs."
Memento Labs is the name of a new company built on the research and expertise of the former ‘Hacking Team,’ a Milan-based spyware vendor previously known for its Remote Control System (RCS) sold to authorities as a surveillance tool.
Hacking Team was breached in 2015, and the incident sealed the company's fate as it revealed sales to authoritarian regimes, access to zero-day exploits, and interaction with government intelligence clients.
In 2019, the firm was acquired by InTheCyber Group, which used Hacking Team's assets to form Memento Labs.
... continue reading