On Monday, researchers at cybersecurity giant Kaspersky published a report identifying a new spyware called Dante, which they say targets Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is created by Milan-based surveillance technology maker Memento Labs, which was formed in 2019 after the divestiture and acquisition of early spyware maker Hacking Team by a new owner.
Memento chief executive Paolo Lazzi confirmed to TechCrunch that the spyware captured by Kaspersky is indeed from Memento.
In a call, Lazy blamed one of the company’s government customers for exposing Dante and said the customer used an older version of Windows spyware that would no longer be supported by Memento by the end of this year.
“Apparently they used an agent that was already dead,” Lazy told TechCrunch, adding that “agent” was referred to as the technical term for spyware planted on a target’s computer.
“I thought [the government customer] Don’t even use it anymore,” Lazy said.
Lazy, who said he was not sure which of the company’s customers were caught, said that Memento had already requested that all of its customers stop using the Windows malware. Lazy said the company had warned customers that Kaspersky had detected Dante spyware infections dating back to December 2024. He said Memento planned to send a message to all of its customers on Wednesday, asking them once again to stop using its Windows spyware.
He also said that Memento currently develops spyware only for mobile platforms. The company also develops some zero-days – meaning security flaws in software unknown to the vendor that can be used to distribute spyware – although, according to Lazy, the company mostly obtains its exploits from outside developers.
contact us
Do you have more information about Memento Labs? Or other spyware manufacturers? From a non-working device, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email.
Contacted by TechCrunch, Kaspersky spokesperson Mai Al Akka did not say which government Kaspersky believes is behind the spying campaign, but said it is “someone who is able to use Dante software.”
“The group is known for its strong command of the Russian language and knowledge of local nuances, traits Kaspersky has seen in other campaigns associated with [government-backed] Threat. However, sometimes errors indicate that the attackers were not native speakers,” Al Akka told TechCrunch.
In its new report, Kaspersky said it found a hacking group using Dante spyware, which it refers to as “Forumtrol,” describing it as targeting people invited to the Russian politics and economics forum Primakov Readings. Kaspersky said the hackers targeted a wide range of industries in Russia, including media outlets, universities and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it had detected a “wave” of cyberattacks with phishing links that were exploiting a zero-day in the Chrome browser. Lazy stated that Chrome was not developed by Zero-Day Memento.
In their report, Kaspersky researchers concluded that Memento “kept improving” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lazy acknowledged that it was possible that some “aspects” or “behavior” of Memento’s Windows spyware were left over from the spyware developed by Hacking Team.
One clear indication that the spyware captured by Kaspersky was from Memento was that the developers reportedly left the word “Dantemarker” in the spyware’s code, an apparent reference to the Dante name, which Memento had previously and publicly disclosed at a surveillance technology conference, according to Kaspersky.
Like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures, such as Leonardo da Vinci and Galileo Galilei.
HACK HISTORY
In 2019, Lazy purchased Hacking Team and rebranded it to Memento Labs. According to Lazy, he only paid one euro for the company and the plan was to start over.
“We want to completely change everything,” Memento’s owner told Motherboard after the acquisition in 2019. “We’re starting from scratch.”
A year later, Hacking Team CEO and founder David Vincenzetti announced that Hacking Team was “dead”.
When he acquired Hacking Team, Lazy told TechCrunch that the company had only three government customers remaining, a far cry from Hacking Team’s more than 40 government customers in 2015. That same year, a hacktivist named Phineas Fisher broke into the startup’s servers and stole approximately 400 gigabytes of internal emails, contracts, documents, and the source code of its spyware.
Prior to the hack, Hacking Team clients in Ethiopia, Morocco and the United Arab Emirates were caught using the company’s spyware to target journalists, critics and dissidents. Once Phineas Fisher published the company’s internal data online, journalists revealed that the Mexican regional government had used Hacking Team’s spyware to target local politicians, and that Hacking Team had sold it to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan.
Lazy declined to tell TechCrunch how many customers Memento currently has, but did say it was less than 100. He also said that only two current Memento employees remain among Hacking Team’s former staff.
According to John Scott-Railton, a senior researcher who has spent a decade investigating spyware misuse at the University of Toronto’s Citizen Lab, the discovery of Memento’s spyware shows that this type of surveillance technology is continuing to spread. it also looks like
Also, a controversial company can die due to a spectacular hack and multiple scandals, and yet a new company can come out of its ashes with brand new spyware,
“This tells us that we need to maintain the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that the buzz from the most radioactive, embarrassed and hacked brand is still around.”
