On Monday, researchers at cybersecurity giant Kaspersky Lab released a report identifying a new piece of spyware called Dante that they say is targeting Windows victims in Russia and neighboring Belarus. Dante spyware is made by Milan-based surveillance technology maker Memento Labs, which was founded in 2019 after earlier spyware maker Hacking Team was acquired and taken over by new owners, researchers said.
Memento CEO Paolo Lezzi confirmed to TechCrunch that the spyware captured by Kaspersky was indeed Memento's.
In the call, Lezzi accused one of his company's government customers of exposing Dante, saying that the customer was using an older version of Windows spyware that will no longer be supported by Memento by the end of this year.
“Obviously they used an agent that was no longer working,” Rezzi told TechCrunch, citing “agent” as a technical term for spyware that was placed on the target's computer.
“I thought [the government customer] I didn't use it anymore,'' Retzi said.
Lezzi said he did not know which of the company's customers were caught, adding that Memento has already asked all customers to stop using Windows malware. Lezzi said the company had been warning customers that Kaspersky had detected Dante spyware infections starting in December 2024. Memento also added that it plans to send a message to all customers on Wednesday asking them to stop using Windows spyware again.
He also said that Memento currently only develops spyware for mobile platforms. Lezzi said the company also develops zero-days (a security flaw in software unknown to the vendor that can be used to distribute spyware), but its exploits are primarily sourced from outside developers.
Contact Us Do you have more information about Memento Labs or other spyware manufacturers? You can contact Lorenzo Franceschi-Bicchierai securely from any non-work device on Signal (+1 917 257 1382) or on Telegram, Keybase and Wire @lorenzofb, or email.
In an interview with TechCrunch, Kaspersky spokesperson Mai Al Akka declined to say which government Kaspersky believes was behind the espionage operation, but said it was “someone who was able to use the Dante software.”
“This group stands out for its strong command of the Russian language and knowledge of local nuances, characteristics that Kaspersky has observed in other campaigns related to this.” [government-backed] threat. However, occasional errors suggest that the attacker was not a native speaker,” Al Akka told TechCrunch.
Kaspersky Lab has announced in a new report that it has discovered a group of hackers using Dante spyware, which it calls ForumTroll, and is targeting people with invitations to Primakov Readings, a Russian political and economic forum. Kaspersky said the hackers targeted a wide range of Russian industries, including news organizations, universities and government agencies.
Kaspersky Lab's discovery of Dante came after the Russian cybersecurity firm announced it had detected a “wave” of cyberattacks with phishing links exploiting a zero-day in the Chrome browser. Lezzi said the Chrome zero-day was not developed by Memento.
In their report, Kaspersky researchers concluded that Memento “continued to improve” the spyware originally developed by Hacking Team until 2022, after which the spyware “was replaced by Dante.”
Lezzi acknowledged that some “aspects” or “behaviors” of Memento's Windows spyware may be left over from spyware developed by Hacking Team.
A clear sign that the spyware Kaspersky captured belonged to Memento is that the developers are said to have left the word “DANTEMARKER” in the spyware's code, an apparent reference to the name Dante, which Kaspersky said Memento had previously announced at a surveillance technology conference.
Similar to Memento's Dante spyware, some versions of Hacking Team's spyware (codenamed Remote Control System) are named after Italian historical figures, such as Leonardo da Vinci and Galileo Galilei.
history of hacking
In 2019, Lezzi acquired Hacking Team and rebranded it to Memento Labs. Rezzi said he paid the company just 1 euro and started over.
“We want to change absolutely everything,” Memento's owner told Motherboard after the 2019 acquisition. “We're starting from zero.”
A year later, Hacking Team CEO and founder David Vincenzetti announced that Hacking Team was “dead.”
At the time of Hacking Team's acquisition, Rezzi told TechCrunch that the company only had three government customers left, a far cry from the more than 40 government customers Hacking Team had in 2015. That same year, a hacktivist known as Phineas Fisher broke into the company's servers and siphoned off about 400 gigabytes of internal emails, contracts, documents, and spyware source code.
The hack comes after Hacking Team customers in Ethiopia, Morocco, and the United Arab Emirates were caught using the company's spyware to target journalists, critics, and dissidents. After Phineas Fisher published the company's internal data online, journalists revealed that Mexican local governments were using Hacking Team's spyware to target local politicians and selling Hacking Team to countries where human rights abuses occurred, including Bangladesh, Saudi Arabia and Sudan.
Lezzi declined to tell TechCrunch how many customers Memento currently has, but hinted that it has fewer than 100 customers. He also said that only two of Hacking Team's former staff remain current Memento employees.
John Scott-Railton, a senior researcher at the University of Toronto's Citizen Research Institute who has studied spyware abuse for a decade, said the Memento spyware discovery shows that this type of surveillance technology continues to proliferate. It also shows
It's also true that while a controversial company may disappear due to an epic hack or some scandal, a new company with brand new spyware can still rise from the ashes.
“This tells us that we need to maintain fear of the consequences,” Scott-Railton told TechCrunch. “It says a lot that the echoes of the most radioactive, shamed and hacked brands still exist.”