A Chrome vulnerability patched in March was exploited to deploy spyware linked to Memento Labs, the Italian company formed when InTheCyber Group acquired notorious surveillance vendor Hacking Team in 2019.
The campaign, dubbed Operation ForumTroll by Kaspersky researchers, targeted organizations across Russia and Belarus through phishing emails disguised as invitations to an academic forum. Recipients who clicked the links in Chrome triggered an exploit that bypassed the browser’s sandbox and installed malware without requiring any downloads or additional interaction.
How the Attack Worked
The phishing emails appeared to be invitations to the Primakov Readings forum, a real academic conference. The links were personalized and short-lived, designed to look legitimate enough to get clicks from targets at media outlets, universities, research centers, government organizations, and financial institutions.
CVE-2025-2783, the vulnerability exploited in the campaign, took advantage of a flaw in how Chrome handles Windows pseudo handles. These special values represent the current thread or process, and Chrome’s inter-process communication system failed to properly validate them. Attackers could obtain a real handle to the browser process, manipulate the thread context, and execute shellcode directly in the browser, escaping the sandbox entirely.
The malware used COM hijacking to establish persistence, overriding Windows registry entries so it would load into legitimate system processes. Mozilla patched a similar vulnerability in Firefox shortly after Google released its fix, suggesting the underlying problem affected multiple browser implementations.
LeetAgent: Three Years Undetected
The exploit dropped LeetAgent, a previously undocumented spyware that communicates with command-and-control servers over HTTPS. The name comes from its command structure, which uses leetspeak: “0xC033A4D” for COMMAND, “0xF17E09” for FILE operations, “0x6E17A585” for task management.
The malware can execute shell commands, inject shellcode, log keystrokes, and steal documents. It specifically targets files with common business extensions like .docx, .xlsx, .pptx, .pdf, and .rtf. Kaspersky traced LeetAgent’s first appearance to 2022, meaning it operated undetected for at least three years before researchers identified it in this campaign.
In several infections, LeetAgent served as a loader for more sophisticated spyware called Dante.
Dante’s Connection to Hacking Team
Dante is where the connection to Memento Labs becomes clear. Code analysis revealed substantial similarities to Hacking Team’s Remote Control System spyware, which was used by governments worldwide before the company suffered a massive data breach in 2015.
The malware uses VMProtect for code obfuscation and implements multiple anti-analysis techniques: anti-debugging checks, sandbox detection, and virtual machine detection. Dante’s architecture is modular. An orchestrator component manages communications with command-and-control servers, loads encrypted plugins, and handles self-protection measures. If the malware stops receiving commands for a specified period, it deletes itself and removes all traces.
Kaspersky couldn’t retrieve the plugin modules that handle actual surveillance functions, so Dante’s full capabilities remain undocumented. But the orchestrator’s code was enough to establish the connection to Memento Labs and demonstrate that this is commercial-grade spyware, not something cobbled together by independent actors.
Attribution Remains Unclear
Kaspersky couldn’t definitively attribute Operation ForumTroll to a specific government or intelligence service. The attackers demonstrated fluency in Russian and familiarity with local contexts, though occasional errors suggested they might not be native speakers.
The target selection indicates espionage objectives: media organizations that could provide intelligence on public sentiment and political developments, research institutions working on sensitive topics, government agencies, and financial institutions. The technical sophistication and access to both a Chrome zero-day and commercial spyware point to a well-funded operation.
Whether Memento Labs knew its tools were being used in this campaign isn’t clear. Commercial spyware vendors typically sell to government agencies through contracts that may include intermediaries, and they often claim limited visibility into how customers deploy the software after purchase.
The 2015 Hacking Team Breach
Memento Labs’ predecessor has relevant history here. In July 2015, hackers breached Hacking Team and released over 400GB of internal data. The leak included customer lists showing over 70 government clients, invoices totaling more than 40 million euros in revenue, source code for the company’s surveillance tools, and internal emails.
The documents revealed sales to governments with documented human rights violations, including Sudan in direct violation of a UN arms embargo. Italian export authorities revoked Hacking Team’s license to sell outside Europe in 2016. The company struggled until InTheCyber Group acquired it in 2019 and created Memento Labs.
The rebranded company sells surveillance tools to government agencies and law enforcement. But the discovery of Dante in Operation ForumTroll, with its code similarities to Hacking Team’s original spyware, suggests the technical lineage remained intact through the acquisition and rebrand.
Where Things Stand
Google patched CVE-2025-2783 in Chrome version 134.0.6998.177 and .178. Organizations that applied the update promptly were protected, but those that delayed remained vulnerable for months after the patch became available.
Kaspersky’s investigation continues. Evidence suggests both LeetAgent and Dante were deployed beyond the ForumTroll campaign, but the full scope remains unclear. The researchers couldn’t recover Dante’s plugin modules, which means significant gaps remain in understanding what data was collected and what surveillance capabilities were provided.
Memento Labs hasn’t commented on the research. The company maintains minimal online presence beyond a basic website. A decade after the Hacking Team breach exposed sales to human rights abusers, spyware from the company’s successor has turned up in another campaign targeting media outlets, universities, and research institutions. The tools have gotten more sophisticated, but the fundamental problems in the commercial surveillance industry remain unresolved.
