How ForumTroll APT was linked to Dante spyware

Oct. 27, 2025, 10:39 a.m.

Description

Kaspersky researchers uncovered a sophisticated attack campaign dubbed Operation ForumTroll, targeting organizations in Russia and Belarus. The campaign utilized a zero-day exploit (CVE-2025-2783) in Google Chrome to deliver spyware. Further investigation revealed connections to previously unknown commercial spyware called Dante, developed by Memento Labs (formerly Hacking Team). The researchers traced the malware back to 2022 and found similarities in code and tactics between the ForumTroll campaign and Dante spyware attacks. The discovery sheds light on the continued operations of the rebranded Hacking Team and their new surveillance tool.

External References

https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
https://otx.alienvault.com/pulse/68ff293ee20a0d1e342936c8
Tags
zero-day
sandbox escape
dante
2025-10-27
leetagent

Date

  • Created: Oct. 27, 2025, 8:11 a.m.
  • Published: Oct. 27, 2025, 8:11 a.m.
  • Modified: Oct. 27, 2025, 10:39 a.m.

Indicators

  • 388a8af43039f5f16a0673a6e342fa6ae2402e63ba7569d20d9ba4894dc0ba59
  • 2e39800df1cafbebfa22b437744d80f1b38111b471fa3eb42f2214a5ac7e1f13
  • 07d272b607f082305ce7b1987bfa17dc967ab45c8cd89699bcdced34ea94e126
Download all indicators here!

Attack Patterns

  • LeetAgent
  • Dante
  • ForumTroll APT

Additional Informations

  • Media
  • Education
  • Finance
  • Government
  • Belarus
  • Russian Federation

Linked vulnerabilities

CVE-2025-2783

8.3
    Google
  • Chrome
    Microsoft
Published: March 26, 2025

CVE-2025-2857

10.0
    Mozilla
  • Firefox
Published: March 27, 2025