Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actorsExploits 1 CVE

Dante

Dante is a commercial spyware/surveillance platform developed by the Italian company Memento Labs, formerly Hacking Team. Kaspersky identified it in attacks linked to the ForumTroll cluster and traced related activity back to at least 2022, including operations targeting organizations and individuals in Russia and Belarus. Reported targets included media outlets, universities, research centers, government organizations, financial institutions, and individual scholars. Dante was not directly observed in the March 2025 Operation ForumTroll Chrome zero-day intrusion chain, but Kaspersky found it in related attacks and confirmed a direct link where LeetAgent was used to launch Dante.

The malware is described as a modular spyware implant with multiple surveillance and data-exfiltration functions, including keylogging, screenshot capture, file theft, and remote command execution. It uses an orchestrator/controller component to manage HTTPS command-and-control, module handling, self-protection, and self-removal. Dante loads encrypted plug-in modules from disk or memory; modules are stored locally and encrypted with AES-256/AES-encrypted data tied to device-unique information such as CPU identifier and Windows Product ID, and some reporting also notes host binding via machine-specific values. It can self-delete if it does not receive commands after a set time.

Dante employs extensive anti-analysis and evasion measures. Reported protections include VMProtect-based code obfuscation, encrypted strings, anti-debugging, anti-sandbox and virtual-machine detection, indirect Windows API calls to reduce detection, and disguising its orchestrator as a font file. Analysts also reported similarities with Hacking Team’s legacy RCS/Da Vinci spyware, including code overlap and lineage indicators. In related ForumTroll-linked operations, shared tradecraft included phishing-based delivery, use of Chrome zero-day CVE-2025-2783 in some campaigns, COM hijacking persistence, and overlaps in code, file-system paths, and data hidden in font files. High-confidence attribution in the content links Dante to Memento Labs based on malware naming artifacts, version references, and similarities to later Hacking Team RCS samples.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-2783Google Chrome Mojo sandbox escape on WindowsExploited in the wild

Kaspersky’s technologies successfully identified a sophisticated zero-day exploit that was used to escape Google Chrome’s sandbox. After conducting a quick analysis, we reported the vulnerability to the Google security team, who fixed it as CVE-2025-2783.

via securelistsecurelist.com
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
forumtroll_apt

While analyzing the malware used in these attacks, we discovered an unknown piece of malware that we identified as commercial spyware called “Dante” and developed by the Italian company Memento Labs (formerly Hacking Team).

via securelistsecurelist.com
Operation ForumTroll

While analyzing that malware, researchers found a previously undiscovered commercial spyware product Memento Labs developed known as “Dante,” according to Kaspersky.

via cyberscoopcyberscoop.com
Hacking Team

Analyzing the old attacks, the researchers found "an unknown piece of malware that we identified as commercial spyware called “Dante” and developed by the Italian company Memento Labs."

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1608.003Install Digital CertificateEvidence1

“After a successful breach, the malicious link automatically redirected users to the genuine forum website, effectively erasing traces of the attack…”

Initial Access

4 techniques
T1189Drive-by CompromiseEvidence3

No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was enough.

T1566PhishingEvidence1

Kaspersky said the malware infections occurred when victims clicked on personalized phishing links via email. It was disguised as an invitation from organizers of the scientific and expert forum for Primakov Readings, an international summit on global politics and economics.

T1566.001Spearphishing AttachmentEvidence1

“The campaign began with a precision spear-phishing operation… forging an official conference invitation… The fake invitations were distributed via email… The embedded link directed victims to a cloned website…”

T1566.002Spearphishing LinkEvidence1

In all known cases, infection occurred after the victim clicked a link in a spear phishing email that directed them to a malicious website.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence3

Following the timeline of events and the infection logic, this next stage should have been a remote code execution (RCE) exploit for Google Chrome...

Privilege Escalation

2 techniques
T1068Exploitation for Privilege EscalationEvidence1

Kaspersky’s technologies successfully identified a sophisticated zero-day exploit that was used to escape Google Chrome’s sandbox... fixed it as CVE-2025-2783.

T1611Escape to HostEvidence1

“This vulnerability enabled sandbox escape… The initial exploit was solely responsible for escaping the browser sandbox and gaining system privileges…”

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

First of all, the spyware is packed with VMProtect. It obfuscates control flow, hides imported functions, and adds anti-debugging checks. On top of that, almost every string is encrypted.

T1497Virtualization/Sandbox EvasionEvidence2

It also performs several anti-sandbox checks. It searches for “bad” libraries, measures the execution times of the sleep() function and the cpuid instruction, and checks the file system.

T1564.001Hidden Files and DirectoriesEvidence1

The orchestrator is decrypted from the resource section and poses as a font file.

T1622Debugger EvasionEvidence1

Dante uses some common methods to detect debuggers. Specifically, it checks the debug registers (Dr0–Dr7) using NtGetContextThread... and uses NtQueryInformationProcess to detect debugging

Credential Access

1 technique
T1056.001KeyloggingEvidence1

“custom spyware trojan named “Dante”… functions—such as keylogging…”

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence2

It also performs several anti-sandbox checks. It searches for “bad” libraries, measures the execution times of the sleep() function and the cpuid instruction, and checks the file system.

T1622Debugger EvasionEvidence1

Dante uses some common methods to detect debuggers. Specifically, it checks the debug registers (Dr0–Dr7) using NtGetContextThread... and uses NtQueryInformationProcess to detect debugging

Collection

3 techniques
T1005Data from Local SystemEvidence1

“Dante… functions—such as… file theft…”

T1056.001KeyloggingEvidence1

“custom spyware trojan named “Dante”… functions—such as keylogging…”

T1113Screen CaptureEvidence1

“Dante… functions—such as… screenshot capture…”

Command and Control

5 techniques
T1001Data ObfuscationEvidence1

Notably, we saw several minor similarities between this attack and others involving Dante, such as similar file system paths, the same persistence mechanism, data hidden in font files, and other minor details.

T1071.001Web ProtocolsEvidence2

The malware connects to one of its C2 servers specified in the configuration and uses HTTPS to receive and execute commands

T1090ProxyEvidence1

Spent days trying to implement a multi-hop SOCKS5 proxy chain before I even had a working C2 ... What I tried: Dante proxies, 3proxy chains, multi-hop obfuscation, rotating IPs.

T1105Ingress Tool TransferEvidence2

The Memento Labs' product additionally enables users to install any software on the computer unnoticed. One description, for instance, mentions the software Dante, which probably is referring to a monitoring tool from Memento Labs.

T1568Dynamic ResolutionEvidence1

“the attackers employed short-lived domain techniques to conceal their real command-and-control (C&C) servers.”

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app8 months ago
hash.sha1●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
nsfocus globalNews
Feb 18, 2026
Top Security Incidents of 2025: Chrome Browser 0-Day Vulnerability Exploitation - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Custom spyware trojan used as the final payload in Operation ForumTroll, providing surveillance and data exfiltration (keylogging, screenshots, file theft) plus remote command execution; uses encrypted C2 traffic disguised as legitimate HTTPS.

Read more
risky biz rssNews
Dec 19, 2025
Risky Bulletin: Belarus deploys spyware on journalists' phones

Spyware developed by Memento Labs, used in cyber-espionage operations by ForumTroll group.

Read more
cyber security newsNews
Dec 17, 2025
Operation ForumTrol Known for Exploiting Chrome 0-Day Attacking Users With New Phishing Campaign

Spyware developed by Memento Labs, used for surveillance and data exfiltration in targeted attacks.

Read more
securelistNews
Dec 17, 2025
A new campaign by the ForumTroll APT group | Securelist

Commercially-developed spyware implant (attributed here to Memento Labs/former Hacking Team) used in Operation ForumTroll.

Read more
+14 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.