Cybersecurity researchers at Kaspersky recently published a report uncovering a new spyware tool known as Dante, which has been targeting Windows users in Russia and Belarus. The researchers attribute the development of this spyware to Memento Labs, a surveillance technology company based in Milan, formed in 2019 after acquiring the assets of the earlier spyware maker Hacking Team.

Paolo Lezzi, the chief executive of Memento Labs, confirmed to TechCrunch that the identified spyware indeed belongs to Memento. He explained that the exposure of Dante was due to one of their government clients using an outdated version of the Windows spyware, which will no longer be supported by Memento by the end of the year.

Lezzi described the situation as the client using an “agent” that was already obsolete, referring to the spyware planted on the target’s computer. He expressed surprise, stating that he thought the client was no longer using it.

Memento has requested that all its clients cease using the Windows malware, following Kaspersky’s detection of Dante spyware infections since December 2024. The company plans to send a reminder to all clients to stop using its Windows spyware. Currently, Memento develops spyware exclusively for mobile platforms and also creates zero-days, though mostly sourced from external developers.

Kaspersky spokesperson Mai Al Akka declined to specify which government is behind the espionage campaign but mentioned that it involves a party capable of utilizing Dante software. The hacking group, referred to as “ForumTroll,” demonstrates a strong command of Russian and knowledge of local nuances, occasionally making errors suggestive of non-native speakers.

The discovery of Dante followed Kaspersky’s detection of a wave of cyberattacks exploiting a zero-day in the Chrome browser. Lezzi clarified that Memento did not develop this Chrome zero-day. Kaspersky researchers found that Memento improved the spyware originally developed by Hacking Team until 2022, when it was replaced by Dante.

Lezzi acknowledged the possibility that some aspects of Memento’s Windows spyware may have been retained from Hacking Team’s developments. A notable indicator of Memento’s involvement is the presence of “DANTEMARKER” in the spyware’s code, referencing the publicly disclosed name Dante.

Kaspersky’s report details the hacking group’s targeting of individuals invited to the Russian politics and economics forum Primakov Readings, affecting a broad range of industries in Russia, including media, universities, and government organizations.

A History of Hacks

In 2019, Lezzi acquired Hacking Team for one euro, intending to rebrand and start anew as Memento Labs. The acquisition followed a series of scandals and hacks, including a significant breach by hacktivist Phineas Fisher in 2015, which exposed internal emails, contracts, and the source code for Hacking Team’s spyware.

Before the breach, Hacking Team’s spyware had been used by governments in Ethiopia, Morocco, and the United Arab Emirates to target journalists, critics, and dissidents. After the breach, it was revealed that Hacking Team had sold spyware to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan.

Lezzi declined to disclose the current number of Memento’s clients but implied it was fewer than 100. He also mentioned that only two current employees of Memento were part of Hacking Team’s former staff.

The discovery of Memento’s spyware highlights the ongoing proliferation of surveillance technology, according to John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab. It also underscores the need for continued vigilance and consequences for the misuse of such technology, as companies like Memento can emerge from the ashes of controversial predecessors.

Scott-Railton emphasized the importance of maintaining the fear of consequences for companies involved in spyware abuses, given that the legacy of even the most scandalous brands can persist.