LeetAgent
LeetAgent is a modular spyware/backdoor used in the Operation ForumTroll espionage campaign and traced in related activity since at least 2022. It was delivered in March 2025 via highly targeted phishing emails that led victims in Russia and Belarus to malicious sites exploiting the Google Chrome sandbox escape zero-day CVE-2025-2783; victims were infected by visiting the site with Chrome or another Chromium-based browser. Kaspersky reported the campaign targeted media outlets, universities, research centers, government organizations, financial institutions, and other organizations, with the apparent objective of espionage.
LeetAgent communicates with command-and-control servers over HTTPS and supports a broad remote administration and surveillance feature set. Reported capabilities include command execution, process execution, task management, stopping tasks, shellcode injection, file read/write operations, directory changes, configuration changes, termination, background keylogging, and file theft. It specifically searched for and stole common document formats including .doc, .xls, .ppt, .rtf, .pdf, .docx, .xlsx, and .pptx. Its command scheme is notable for using leetspeak-coded commands, which is the basis for its name. Its configuration and communications were described as obfuscated, and reporting noted use of multiple C2 servers and traffic obfuscation.
In the observed intrusion chain, a malicious DLL loader decrypted and launched LeetAgent. The loader used OLLVM obfuscation, could bind encrypted malware to the infected machine using the BIOS UUID, activated only in selected processes including rdpclip.exe, and used Donut-generated shellcode to launch the payload. Persistence in the broader ForumTroll chain was achieved through COM hijacking by overriding the CLSID for twinapi.dll {AA509086-5Ca9-4C25-8F95-589D3C07B48A} in the user registry hive. Attackers were reported to use Fastly-hosted infrastructure in many cases for LeetAgent C2 and delivery of additional tools such as 7z, Rclone, and SharpChrome.
LeetAgent is closely associated with the more advanced Dante spyware platform and has at times acted as a loader for Dante. Multiple reports state that the tooling is linked to or attributed with high confidence to Memento Labs, the Italian company formerly known as Hacking Team, based on code and operational overlaps with Dante and legacy Hacking Team RCS lineage. The threat actor operating the campaign is tracked by Kaspersky as ForumTroll; however, some reporting notes that the ultimate operator or commissioner of the operations remains unknown.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
LeetAgent is the spyware used in the Operation ForumTroll campaign. We named it LeetAgent because all of its commands are written in leetspeak.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
LeetAgent is the spyware used in the Operation ForumTroll campaign. We named it LeetAgent because all of its commands are written in leetspeak.
A zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, was recently exploited in the wild to deliver the LeetAgent spyware. This…
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Privilege Escalation
2 techniques
Privilege Escalation
Credential Access
1 technique
Credential Access
Collection
2 techniques
Collection
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor malware used by Operation ForumTrol to provide persistent remote access to compromised systems.
LeetAgent is spyware deployed as a payload following successful exploitation of Chrome zero-day vulnerabilities, specifically used in targeted espionage campaigns such as Operation ForumTroll. It is designed to compromise victim systems after browser sandbox escape, enabling surveillance and data exfiltration.
Backdoor implant used in Operation ForumTroll to provide malicious access to victim systems.
LeetAgent is a backdoor delivered via phishing campaigns exploiting a Chrome zero-day, providing remote access to compromised systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.