Spyware Firm CEO Admits Government Client Misused Its Malware
▼ Summary
– Kaspersky identified a new spyware called Dante targeting Windows users in Russia and Belarus, created by Milan-based Memento Labs.
– Memento’s CEO confirmed the spyware belongs to them and blamed a government customer for using an outdated version that will no longer be supported.
– Kaspersky linked the attacks to a group called “ForumTroll,” which targeted Russian media, universities, and government organizations via phishing.
– Memento has shifted to developing spyware only for mobile platforms and sources most exploits externally, though it still creates some zero-days.
– The discovery shows how surveillance technology persists despite past scandals, with Memento emerging from the controversial Hacking Team after its 2019 acquisition.
Cybersecurity researchers at Kaspersky have uncovered a new piece of spyware, known as Dante, which has been deployed against Windows users in Russia and Belarus. The investigation links this malicious software to Memento Labs, an Italian surveillance technology company established in 2019 following the acquisition of the notorious Hacking Team. Memento’s chief executive, Paolo Lezzi, has publicly acknowledged that the spyware belongs to his firm, while attributing its exposure to a government client’s use of an outdated version.
Lezzi explained that the client was running an obsolete agent, the term for spyware implanted on a target device, which Memento plans to stop supporting by year’s end. He expressed surprise that the customer was still using the tool, stating, “I thought they didn’t even use it anymore.” Memento has already urged all clients to discontinue use of the Windows malware, especially since Kaspersky detected infections as early as December 2024. The company intends to send another formal request this week.
Currently, Memento focuses exclusively on developing spyware for mobile platforms. While the company does create some zero-day exploits, security vulnerabilities unknown to software vendors, it primarily obtains these from external developers. Lezzi emphasized that a recent Chrome browser zero-day used in related phishing attacks was not developed by Memento.
Kaspersky’s spokesperson, Mai Al Akkad, declined to identify the government behind the espionage campaign but noted the attackers demonstrated strong Russian language skills alongside occasional errors, suggesting they were not native speakers. The hacking group, dubbed “ForumTroll” by Kaspersky, targeted individuals through invitations to the Primakov Readings, a Russian forum on politics and economics. Victims spanned various sectors, including media, academia, and government bodies.
Kaspersky’s analysis indicates that Memento continued refining spyware originally created by Hacking Team until 2022, when Dante took its place. Lezzi conceded that certain elements of Memento’s Windows spyware may trace back to Hacking Team’s earlier work. A clear identifier linking the malware to Memento was the string “DANTEMARKER” embedded in the code, a nod to the name Dante, which the company had previously disclosed at a surveillance technology conference. This naming convention echoes Hacking Team’s practice of codenaming spyware versions after famous Italian historical figures.
Memento Labs emerged after Lezzi purchased Hacking Team for a symbolic one euro in 2019, with the goal of starting anew. At the time, Lezzi stated his intention to “change absolutely everything,” and a year later, Hacking Team’s founder declared the original company “dead.” When Lezzi took over, only three government clients remained, a sharp decline from the more than forty Hacking Team served in 2015. That year, hacktivist Phineas Fisher breached the company’s servers, exfiltrating hundreds of gigabytes of internal data, including emails, contracts, and spyware source code.
Prior to the breach, Hacking Team’s clients in Ethiopia, Morocco, and the UAE were found targeting journalists, critics, and dissidents. Leaked documents later revealed that a Mexican regional government used the spyware against local politicians and that sales extended to countries with documented human rights abuses, such as Bangladesh, Saudi Arabia, and Sudan. Lezzi did not disclose Memento’s current client count but suggested it was under one hundred. Only two former Hacking Team employees remain with the new company.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, observed that the discovery of Memento’s spyware underscores the persistent spread of surveillance tools. He noted that even after a company faces major scandals and a devastating hack, a new entity can rise from its remains. “It tells us that we need to keep up the fear of consequences,” Scott-Railton remarked. “It says a lot that echoes of the most radioactive, embarrassed and hacked brand are still around.”
![Image: A digital lock and binary code representing cybersecurity]
(Source: TechCrunch)
