Italian Spyware ‘Dante’ Exploits Chrome Zero-Day Flaw

A sophisticated cyber espionage campaign exploited a critical Google Chrome zero-day vulnerability to deploy advanced commercial spyware against high-value targets in Russia and Belarus. Security researchers identified this coordinated attack, which leveraged a now-patched security flaw designated CVE-2025-2783 to bypass Chrome’s protective sandbox and install persistent surveillance tools on compromised systems.

Kaspersky’s investigation traced the malicious activity to a campaign they named Operation ForumTroll. This operation used convincingly forged invitations to the Primakov Readings forum as bait. The emails, written in stylistically proper Russian with subtle errors suggesting non-native speakers, directed recipients to a malicious website. A validator script on the site performed checks before delivering a multi-stage attack chain. This culminated in the installation of a persistent malware loader, which ultimately decrypted and executed a spyware program known as LeetAgent.

The technical analysis revealed the attackers employed a clever method to escape Chrome’s sandbox. They manipulated the browser’s inter-process communication system, exploiting an obscure Windows operating system quirk. This allowed them to convert a pseudo-handle into a functional handle within the browser process. With this level of access, they could execute code with the browser’s elevated privileges, a technique that genuinely puzzled researchers due to its subtlety.

LeetAgent functions as a powerful remote access tool, capable of receiving commands from its control servers. Its capabilities are extensive, including running system commands, executing processes, injecting shellcode, performing keylogging, and stealing files in the background. The configuration’s multiple traffic obfuscation settings strongly indicate it is a commercially developed spyware product.

Further investigation into the threat actor’s infrastructure uncovered the use of a second, more sophisticated spyware tool: Dante. Developed by the Italian firm Memento Labs, formerly known as the controversial Hacking Team, Dante represents a significant escalation in surveillance capabilities. The malware employs VMProtect to obscure its code, encrypt strings, and hinder debugging efforts. It features advanced detection for analysis environments like sandboxes and virtual machines.

Dante’s operational security measures are notably robust. It indirectly calls Windows APIs to evade security software, disguises its main controller as a font file, and loads encrypted plugin modules from disk or memory. The spyware also ties unique encryption keys to each infected machine and is programmed to delete itself if it fails to receive commands within a predetermined timeframe.

While Dante was not directly observed in the initial Operation ForumTroll campaign, researchers found compelling connections. They identified minor technical similarities in file system paths, persistence mechanisms, and the use of font files to hide data. Most conclusively, they discovered shared code between the exploit, loader, and the Dante spyware itself. This evidence strongly links the entire attack chain to the same toolset associated with Dante.

In a subsequent statement, Memento Labs’ CEO confirmed the Windows spyware analyzed by Kaspersky belongs to their company. He announced they would cease support for the product by year’s end and request customers discontinue its use, noting their current development focus is exclusively on mobile spyware. The company also denied any involvement in developing the Chrome zero-day exploit used in these attacks.

Kaspersky has published detailed indicators of compromise to help organizations detect potential infections from either LeetAgent or Dante spyware.

(Source: HelpNet Security)