Dante
Dante is a commercial Windows spyware platform developed by the Italian company Memento Labs, the rebranded successor to Hacking Team. Kaspersky identified it in attacks linked to the ForumTroll threat cluster and reported that it had been used in operations dating back to at least 2022, including targeting organizations and individuals in Russia and Belarus such as government bodies, media outlets, universities, research centers, and financial institutions. In reporting on Operation ForumTroll, Dante is described as a sophisticated surveillance implant associated with Memento Labs’ broader tooling alongside the LeetAgent backdoor; some reporting states LeetAgent was used to introduce or load Dante in related attacks, while Kaspersky also noted Dante was observed in other attacks linked to the same group rather than directly in the March 2025 Chrome zero-day campaign.
High-confidence capabilities described for Dante include keylogging, screenshot capture, file theft and broader data exfiltration, and remote command execution. It is modular: an orchestrator component decrypts and loads encrypted plug-in modules from disk or memory, and modules are stored locally encrypted, including AES/AES-256 protection tied to device-unique host information such as CPU identifier and Windows Product ID. Dante’s command-and-control communications are described as encrypted and disguised as legitimate HTTPS-like traffic. It also includes persistence mechanisms, with reporting noting overlap in persistence tradecraft with ForumTroll activity, including COM hijacking in related operations.
Dante is heavily engineered for evasion and anti-analysis. Reported protections include VMProtect-based code obfuscation, encrypted strings, indirect Windows API invocation to reduce detection, anti-debugging, anti-sandbox and anti-VM checks, and self-protection logic. Its orchestrator has been described as disguised as a font file, and data hidden in font files was noted as an overlap between Dante-related attacks and ForumTroll activity. Dante can self-delete if it does not receive commands after a defined period. Researchers also reported similarities between Dante and Hacking Team’s legacy RCS/Da Vinci spyware, including code overlap and a continued focus on stealth and modular surveillance functionality.
Associated intrusion activity described in the source material includes spear-phishing campaigns using personalized lures, including forged Primakov Readings invitations, and in broader ForumTroll operations exploitation of Google Chrome zero-day CVE-2025-2783 to compromise Windows systems. Reported indicators and traits include COM hijacking persistence, encrypted local modules, orchestrator components masquerading as font files, and detection opportunities based on a unique call stack signature referenced in detection content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Kaspersky researchers said that the malware delivery was done by exploiting CVE-2025-2783, a sandbox escape zero-day in the Chrome browser.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While analyzing that malware, researchers found a previously undiscovered commercial spyware product Memento Labs developed known as “Dante,” according to Kaspersky.
Analyzing the old attacks, the researchers found "an unknown piece of malware that we identified as commercial spyware called “Dante” and developed by the Italian company Memento Labs."
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“After a successful breach, the malicious link automatically redirected users to the genuine forum website, effectively erasing traces of the attack…”
Initial Access
3 techniquesNo further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough.
Kaspersky said the malware infections occurred when victims clicked on personalized phishing links via email. It was disguised as an invitation from organizers of the scientific and expert forum for Primakov Readings, an international summit on global politics and economics.
“The campaign began with a precision spear-phishing operation… forging an official conference invitation… The fake invitations were distributed via email… The embedded link directed victims to a cloned website…”
Execution
1 techniqueThe campaign exploited a zero-day (or previously unknown and unpatched) vulnerability in Google Chrome. Google patched the vulnerability after it was alerted, Kaspersky said.
Privilege Escalation
1 technique“This vulnerability enabled sandbox escape… The initial exploit was solely responsible for escaping the browser sandbox and gaining system privileges…”
Stealth
1 techniqueCredential Access
1 techniqueDiscovery
1 techniqueCollection
3 techniquesCommand and Control
5 techniquesNotably, we saw several minor similarities between this attack and others involving Dante, such as similar file system paths, the same persistence mechanism, data hidden in font files, and other minor details.
“Its communication traffic was heavily encrypted and disguised as legitimate HTTPS traffic to evade network-level detection.”
Spent days trying to implement a multi-hop SOCKS5 proxy chain before I even had a working C2 ... What I tried: Dante proxies, 3proxy chains, multi-hop obfuscation, rotating IPs.
The Memento Labs' product additionally enables users to install any software on the computer unnoticed. One description, for instance, mentions the software Dante, which probably is referring to a monitoring tool from Memento Labs.
“the attackers employed short-lived domain techniques to conceal their real command-and-control (C&C) servers.”
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom spyware trojan used as the final payload in Operation ForumTroll, providing surveillance and data exfiltration (keylogging, screenshots, file theft) plus remote command execution; uses encrypted C2 traffic disguised as legitimate HTTPS.
Spyware developed by Memento Labs, used in cyber-espionage operations by ForumTroll group.
Spyware developed by Memento Labs, used for surveillance and data exfiltration in targeted attacks.
Commercially-developed spyware implant (attributed here to Memento Labs/former Hacking Team) used in Operation ForumTroll.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.