Hacking Team successor linked to malware campaign, new ‘Dante’ commercial spyware | CyberScoop<\/title> <meta name=\"description\" content=\"Kaspersky researchers said Monday that they\u2019ve unearthed a malware campaign they\u2019re linking to the successor company of the infamous Italy-based surveillance tech firm Hacking Team, and at the same time discovered new commercial malware tied to the same firm.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/hacking-team-dante-spyware-kaspersky\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Hacking Team successor linked to malware campaign, new 'Dante' commercial spyware\"> <meta property=\"og:description\" content=\"Kaspersky researchers said Monday that they\u2019ve unearthed a malware campaign they\u2019re linking to the successor company of the infamous Italy-based surveillance tech firm Hacking Team, and at the same time discovered new commercial malware tied to the same firm.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/hacking-team-dante-spyware-kaspersky\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-10-27T17:01:34+00:00\"> <meta property=\"article:modified_time\" content=\"2025-10-27T17:01:37+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1539\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Tim Starks\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@timstarks\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1759256725g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1761070183g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/86495\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=86495\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhacking-team-dante-spyware-kaspersky%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhacking-team-dante-spyware-kaspersky%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-86495 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/hacking-team-dante-spyware-kaspersky\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.074285714286\">\n<div class=\"single-article__header-content\" readability=\"35.363636363636\">\n<p> Kaspersky researchers said Memento Labs appears to be behind both the Operation ForumTroll malware and spyware, known as Dante. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/86495\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"513\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware.jpg?resize=640%2C513&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=300,240 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=768,616 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=1024,821 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=1536,1231 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=600,481 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=210,168 210w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=420,337 420w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=842,675 842w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-2.jpg?resize=1052,843 1052w\" sizes=\"(max-width: 842px) 100vw, 842px\"><figcaption> In the forground stands Dante holding his work ‘the Divine Comedy’. (Photo by David Lees\/Corbis\/VCG via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.134661117717\"><body readability=\"70.661834120027\"><\/p>\n<p>Kaspersky researchers said Monday that they\u2019ve unearthed a malware campaign they\u2019re linking to the successor company of the infamous Italy-based surveillance tech firm Hacking Team, and at the same time discovered new commercial malware tied to the same firm.<\/p>\n<p>The malware campaign that Kaspersky dubbed Operation ForumTroll targeted government organizations, media outlets, financial institutions, universities, research centers and other organizations in Russia, with an apparent goal of conducting espionage. It identified it as an advanced persistent threat campaign, a term normally applied to nation-state attackers.<\/p>\n<p>Hacking Team was active from the early 2000s until 2019, when it was acquired and rebranded as Memento Labs. Kaspersky said in <a href=\"https:\/\/securelist.com\/forumtroll-apt-hacking-team-dante-spyware\/117851\/\">a blog post<\/a> Monday that it detected a wave of malware infections in March that it traced back to 2022 and tied to Memento Labs.<\/p>\n<p>While analyzing that malware, researchers found a previously undiscovered commercial spyware product Memento Labs developed known as \u201cDante,\u201d according to Kaspersky.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Kaspersky said the malware infections occurred when victims clicked on personalized phishing links via email. It was disguised as an invitation from organizers of the scientific and expert forum for Primakov Readings, an international summit on global politics and economics.<\/p>\n<p>\u201cNo further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough,\u201d Kaspersky wrote. \u201cThe malicious links were personalized and extremely short-lived to avoid detection.\u201d<\/p>\n<p>The campaign exploited a zero-day (or previously unknown and unpatched) vulnerability in Google Chrome. Google patched the vulnerability after it was alerted, Kaspersky said.<\/p>\n<p>Memento Labs did not immediately respond to emails or calls seeking comment Monday.<\/p>\n<p>Despite the detection, the development might actually be a promising one for Memento Labs, which was <a href=\"https:\/\/www.vice.com\/en\/article\/memento-labs-the-reborn-hacking-team-is-struggling\/\">said to be struggling<\/a> shortly after <a href=\"https:\/\/www.vice.com\/en\/article\/hacking-team-is-dead\/\">transforming from Hacking Team<\/a>, the most prominent spyware maker in a nation that has become <a href=\"https:\/\/therecord.media\/how-italy-became-an-unexpected-spyware-hub\">a hotbed<\/a> for the tech.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Russia-headquartered Kaspersky\u2019s discoveries also marks the second time this month there was an intermingling of spyware and Russian targets, following Zimperium\u2019s <a href=\"https:\/\/cyberscoop.com\/russian-spyware-clayrat-is-spreading-evolving-quickly-according-to-zimperium\/\">revelations about ClayRat<\/a>.<\/p>\n<p>There was some overlap between the Operation ForumTroll malware campaign and the Dante spyware, but it wasn\u2019t exact, Kaspersky wrote.<\/p>\n<p>\u201cAlthough we didn\u2019t see the ForumTroll APT group using Dante in the Operation ForumTroll campaign, we have observed its use in other attacks linked to this group,\u201d the blog post states. \u201cNotably, we saw several minor similarities between this attack and others involving Dante, such as similar file system paths, the same persistence mechanism, data hidden in font files, and other minor details. Most importantly, we found similar code shared by the exploit, loader, and Dante.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"author-card\" readability=\"7.7216117216117\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/10\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware-1.jpg?w=640&ssl=1\" alt=\"Tim Starks\"> <\/figure>\n<\/p><\/div>\n<div class=\"author-card__details\" readability=\"10.901098901099\">\n<h4 class=\"author-card__name\">Written by Tim Starks<\/h4>\n<p> Tim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he’s covered cybersecurity since 2003. Email Tim here: <a href=\"mailto:tim.starks@cyberscoop.com\">tim.starks@cyberscoop.com<\/a>. <\/div>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/hacking-team-dante-spyware-kaspersky\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hacking Team successor linked to malware campaign, new ‘Dante’ commercial<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5303,5304,302,387,5305,5306,3928,483,5307,60,268,256,270,482,5201],"tags":[5308,5309,306,391,5310,5311,3930,485,5312,67,274,262,276,484,5202],"class_list":["post-8110","post","type-post","status-publish","format-standard","hentry","category-clayrat","category-dante","category-geopolitics","category-google","category-google-chrome","category-hackingteam","category-italy","category-kaspersky","category-memento-labs","category-phishing","category-privacy","category-research","category-russia","category-spyware","category-zimperium","tag-clayrat","tag-dante","tag-geopolitics","tag-google","tag-google-chrome","tag-hackingteam","tag-italy","tag-kaspersky","tag-memento-labs","tag-phishing","tag-privacy","tag-research","tag-russia","tag-spyware","tag-zimperium"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/clayrat\/\" rel=\"category tag\">ClayRat<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/dante\/\" rel=\"category tag\">Dante<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google-chrome\/\" rel=\"category tag\">Google Chrome<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hackingteam\/\" rel=\"category tag\">HackingTeam<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/italy\/\" rel=\"category tag\">Italy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/kaspersky\/\" rel=\"category tag\">Kaspersky<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/memento-labs\/\" rel=\"category tag\">Memento Labs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/privacy\/\" rel=\"category tag\">Privacy<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spyware\/\" rel=\"category tag\">spyware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zimperium\/\" rel=\"category tag\">Zimperium<\/a>","tag_info":"Zimperium","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8110"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8110\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8110,"date":"2025-10-27T12:01:34","date_gmt":"2025-10-27T17:01:34","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=86495"},"modified":"2025-10-27T12:01:34","modified_gmt":"2025-10-27T17:01:34","slug":"hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/10\/27\/hacking-team-successor-linked-to-malware-campaign-new-dante-commercial-spyware\/","title":{"rendered":"Hacking Team successor linked to malware campaign, new \u2018Dante\u2019 commercial spyware"},"content":{"rendered":"