Memento Labs Chief Confirms Company's Spyware Found in Russian Cyberattack

Paolo Lezzi, who leads the Italian surveillance company Memento Labs (formerly Hacking Team), has confirmed to media outlets that researchers from Kaspersky Lab correctly identified his company's spyware in recent attacks. The malware, called Dante, appeared in a sophisticated campaign targeting Russian organizations. Lezzi's response included an accusation against one of his government clients, claiming they exposed the spyware by using an outdated version against his company's recommendations.

The Hacking Team Legacy

Memento Labs carries the controversial history of its predecessor. Hacking Team, founded in 2003, became one of the earliest commercial spyware manufacturers serving government agencies. Their flagship product, Remote Control Systems (RCS), found customers among law enforcement and intelligence services across multiple countries.

The company's reputation collapsed in 2015 following a devastating security breach. Hackers infiltrated Hacking Team's systems and released over 400 gigabytes of internal data. This leak included the complete source code for their spyware, internal communications, financial records, and customer lists.

The leaked documents revealed troubling details about Hacking Team's business practices. The company had sold surveillance tools to governments with documented human rights violations. Internal emails showed awareness that their software was being used to target journalists, activists, and political dissidents. The leak sparked investigations in multiple countries and damaged the company's credibility.

In 2019, the InTheCyber Group acquired Hacking Team and rebranded it as Memento Labs. This name change attempted to distance the operation from its tainted history, but the core business model—selling surveillance tools to governments—remained unchanged.

Discovery of Dante Spyware

Kaspersky Lab researchers recently published findings about Dante, representing the first documented real-world deployment of Memento Labs' spyware. The discovery came through analysis of "Operation Forum Troll," a targeted campaign against employees working at Russian organizations.

The operation began in March 2025 when attackers launched a sophisticated phishing campaign. They sent personalized emails to employees at media companies, government agencies, educational institutions, and financial organizations across Russia. The emails invited recipients to participate in the "Primakov Readings" forum—a real annual conference focused on international relations and foreign policy.

The attackers crafted convincing messages that referenced the legitimate forum. This social engineering approach increased the likelihood that targets would engage with the malicious content. Recipients who clicked links or opened attachments triggered an infection chain that exploited vulnerabilities in their systems.

The Technical Attack Chain

The operation demonstrated technical sophistication. Attackers deployed multiple exploits, including a zero-day vulnerability in the Chrome browser tracked as CVE-2025-2783. Zero-day vulnerabilities—security flaws unknown to the software vendor—provide attackers with a window of opportunity before patches become available.

The Chrome exploit allowed attackers to execute code on victims' systems despite the browser's security protections. Once initial access was established, the attackers deployed the Dante spyware to maintain persistent access and extract data from compromised systems.

During their investigation, Kaspersky researchers identified characteristics that matched spyware demonstrated by Memento Labs at the ISS World MEA conference in 2023. ISS World conferences cater specifically to law enforcement, intelligence agencies, and military organizations interested in surveillance technologies. Vendors showcase their latest tools at these events, which are closed to public attendance.

The researchers connected technical indicators from the attacks to capabilities Memento Labs had publicly presented, leading to their identification of Dante as a Memento Labs product.

Paolo Lezzi's Response

When TechCrunch contacted Memento Labs for comment, Paolo Lezzi confirmed that Dante belongs to his company. However, his statement focused on shifting blame to an unnamed government client rather than addressing broader questions about his company's products being used in attacks.

Lezzi claimed he doesn't know which specific client Kaspersky researchers caught using Dante. According to him, the client deployed an outdated version of the Windows spyware that Memento Labs no longer supports. The company plans to end all support for this version by the end of this year.

"Apparently, they used an agent that was already 'dead.' I thought [government clients] weren't using it at all anymore," Lezzi stated.

This explanation raises several questions. If Memento Labs believed clients had stopped using this version, why did it remain active in attacks discovered in March 2025? The statement suggests either poor communication with clients or clients deliberately ignoring the company's recommendations.

The Timeline of Warnings

Lezzi revealed that Memento Labs had asked all clients to stop using the Windows version of Dante back in December 2024. This request came after Kaspersky Lab first detected Dante infections—suggesting the researchers had found earlier instances of the spyware before publicly disclosing their findings in 2025.

Despite that December 2024 warning, at least one government client continued using the Windows spyware through March 2025—three months after being told to stop. Memento Labs now plans to send another notice requesting clients completely abandon this version.

This sequence of events demonstrates a lack of control over how clients deploy purchased surveillance tools. Once spyware is sold to a government agency, the vendor apparently cannot force that client to stop using it, even when continued use risks exposing the tool's capabilities.

Connections to the Original Hacking Team

During his conversation with journalists, Lezzi acknowledged that some "aspects and behaviors" of the Windows Dante spyware draw from Hacking Team's original software. This makes sense given the company's history—Memento Labs inherited Hacking Team's code base, expertise, and approach.

Only two employees from the original Hacking Team remain at Memento Labs, according to Lezzi. He declined to specify the exact number of current clients but indicated the company serves fewer than 100 government agencies.

This client count provides context for the commercial spyware industry's scale. Even a relatively small vendor like Memento Labs maintains relationships with dozens of government clients across multiple countries. Each of those clients can deploy the spyware in operations targeting their chosen targets.

Current Development Focus

Lezzi stated that Memento Labs now develops spyware exclusively for mobile platforms. This shift reflects broader trends in the surveillance industry. Mobile devices have become primary communication tools for most people, making them valuable targets for intelligence gathering.

Desktop and laptop computers still matter for certain types of work, but smartphones and tablets contain text messages, call logs, location data, photos, social media communications, and countless other data points that reveal detailed information about people's lives, relationships, and activities.

Zero-Day Vulnerabilities and Third-Party Exploits

Memento Labs shows interest in zero-day vulnerabilities for delivering spyware to targets. However, Lezzi said his company primarily obtains exploits from third-party developers rather than discovering vulnerabilities themselves.

This business model is common in the commercial surveillance industry. Companies like Zerodium, Crowdfense, and others operate as exploit brokers, purchasing zero-day vulnerabilities from security researchers and reselling them to government clients or surveillance vendors. These brokers pay substantial sums—often hundreds of thousands or millions of dollars—for vulnerabilities affecting widely used software.

Lezzi specifically emphasized that the Chrome zero-day vulnerability (CVE-2025-2783) used in "Operation Forum Troll" was not developed by Memento Labs. This statement distances his company from the specific exploit while acknowledging that Dante was the payload delivered after exploitation succeeded.

Attribution Questions and Language Analysis

Kaspersky Lab did not attribute the Dante attacks to specific countries or threat groups. Attribution in cybersecurity requires substantial evidence linking attacks to particular actors. The researchers apparently lack sufficient data to make definitive attribution claims.

However, Kaspersky's report included interesting observations about the attackers' language skills. The phishing emails and other operation components demonstrated good command of Russian and knowledge of local context—the choice of the Primakov Readings forum as a lure shows understanding of Russian foreign policy circles and which organizations would find such an invitation credible.

Despite this proficiency, some mistakes indicated the attackers were not native Russian speakers. These linguistic clues suggest the operation was conducted by foreign intelligence services targeting Russian organizations rather than domestic actors.

My Assessment of These Developments

In my opinion, this incident exposes fundamental problems with the commercial spyware industry. Memento Labs sells powerful surveillance tools to government clients, then loses control over how those tools are used and when clients discontinue them.

Per Lezzi's statements, his company asked clients to stop using the Windows version of Dante in December 2024, yet the spyware remained active in attacks through at least March 2025. This demonstrates that vendors cannot enforce responsible use policies once they've sold their products.

The Accountability Gap

Commercial spyware vendors typically claim they sell only to legitimate government agencies for lawful purposes. However, this claim becomes meaningless if vendors cannot control what clients do with purchased tools.

Memento Labs apparently has no mechanism to remotely disable spyware instances or prevent clients from continuing to use versions the company no longer supports. This creates situations where outdated, potentially more detectable versions remain deployed in active operations.

Furthermore, Lezzi's response focused on blaming the client for using an old version rather than addressing whether the attack itself was appropriate. This deflection is typical in the commercial spyware industry—vendors distance themselves from how their products are used while continuing to profit from sales.

The Hacking Team Shadow

The 2015 Hacking Team breach should have destroyed the company. The leaked documents showed sales to repressive governments, targeting of journalists and activists, and internal awareness of human rights abuses enabled by their software. Yet the company survived through acquisition and rebranding.

Memento Labs inherited not just Hacking Team's technology but also its ethical baggage. The acknowledgment that Dante borrows "aspects and behaviors" from Hacking Team software means the new product carries forward approaches developed during the controversial original company's operation.

Only two original Hacking Team employees remain, but the institutional knowledge and codebase persist. This raises questions about whether a company can meaningfully reform when it maintains continuity with its problematic past.

Practical Implications

For Organizations

The Operation Forum Troll campaign demonstrates the sophistication of attacks leveraging commercial spyware. Several lessons emerge:

1. Spear-phishing remains effective: The attackers used personalized invitations to a real conference. This social engineering succeeded despite growing awareness of phishing risks.
2. Zero-day vulnerabilities enable access: The Chrome exploit bypassed standard security protections. Organizations cannot patch vulnerabilities they don't know exist.
3. Multiple sectors face targeting: Media, government, education, and finance sectors all received attacks. Commercial spyware doesn't limit itself to traditional intelligence targets.
4. Geographic boundaries don't protect: The attackers targeted Russian organizations using Italian-made spyware, possibly deployed by a third country's intelligence service.

Defensive Measures

Organizations concerned about commercial spyware should implement several protective steps:

Email Security: Deploy advanced threat protection that analyzes attachments and links before delivering messages. Train employees to verify unexpected invitations, even when they reference legitimate events.

Browser Isolation: Technologies that render web content in isolated environments can prevent exploits from compromising the underlying system.

Endpoint Detection and Response: EDR tools can identify suspicious behavior patterns associated with spyware, even when the specific malware variant is unknown.

Network Monitoring: Watch for unusual outbound connections, especially encrypted traffic to unfamiliar destinations that could indicate command-and-control communication.

Patch Management: While zero-days bypass this defense, keeping systems updated prevents exploitation of known vulnerabilities that often accompany initial access.

Least Privilege: Limiting user permissions reduces the damage spyware can cause even if initial infection succeeds.

For the Broader Security Community

This incident highlights the value of threat research and public disclosure. Kaspersky Lab's investigation exposed previously unknown spyware and connected it to its vendor. This transparency puts pressure on commercial surveillance companies and informs potential targets about threats they face.

Security researchers should continue investigating commercial spyware operations. Each disclosure makes these tools less effective by revealing their techniques and forcing vendors to develop new capabilities—a process that requires time and resources.

The Zero-Day Market Problem

Lezzi's acknowledgment that Memento Labs purchases exploits from third-party developers points to a larger issue. A thriving market exists for security vulnerabilities, with exploit brokers paying researchers substantial sums for discoveries.

This market creates perverse incentives. Researchers who find vulnerabilities face a choice: report them to vendors for modest or no payment, allowing patches that protect everyone, or sell them to brokers for significant money, knowing they'll be used in attacks.

Some researchers argue they deserve compensation for their work. Vendors often pay little or nothing for vulnerability reports through bug bounty programs. Exploit brokers offer life-changing sums—$1 million or more for valuable zero-days.

However, this market enables surveillance and attacks. Every zero-day sold to brokers eventually gets used against someone. The Chrome vulnerability in Operation Forum Troll might have been reported to Google and patched if financial incentives hadn't encouraged selling it instead.

Regulatory and Policy Questions

The commercial spyware industry operates with minimal oversight in most countries. Vendors sell powerful surveillance tools to government clients with few restrictions on which governments qualify as customers or what uses are prohibited.

Some efforts at regulation have emerged. The United States added NSO Group and other surveillance vendors to trade restriction lists. The European Union has discussed export controls on surveillance technology. However, enforcement remains weak, and companies often relocate or restructure to evade restrictions.

Memento Labs' rebranding from Hacking Team demonstrates how easily companies can shed negative associations and continue operations. Stronger accountability mechanisms could require:

• Transparency about client lists and use cases
• Independent audits of how sold tools are deployed
• Liability for misuse of sold surveillance capabilities
• Export restrictions preventing sales to governments with poor human rights records
• Kill switches allowing vendors to disable misused spyware

The industry opposes such measures, arguing they would undermine legitimate law enforcement and intelligence operations. This tension between security services' operational needs and preventing human rights abuses remains unresolved.

Looking Forward

Commercial spyware will continue evolving. Memento Labs' shift to mobile platforms reflects where surveillance opportunities exist. As people increasingly conduct their lives through smartphones, those devices become prime intelligence gathering targets.

The exploit market will keep feeding sophisticated attacks. As long as substantial payments are available for zero-day vulnerabilities, researchers will sell them, and vendors will purchase them for clients.

Public disclosure of spyware operations—like Kaspersky's Dante research—provides one check on this industry. When specific tools are identified and analyzed, targets can better defend themselves, and vendors face reputational costs.

However, disclosure alone cannot solve the fundamental problem: powerful surveillance tools are available for purchase by any government willing to pay, with minimal accountability for how those tools are used.

Final Thoughts

The Dante spyware incident reveals the commercial surveillance industry's current state. Companies inherit controversial predecessors' technology, rebrand to escape negative associations, sell powerful tools to government clients, then lose control over how those tools are deployed.

Paolo Lezzi's response—confirming his company's spyware was caught in attacks but blaming clients for using outdated versions—encapsulates the accountability gap at the industry's center. Vendors profit from sales while disclaiming responsibility for use.

Until meaningful oversight and enforcement mechanisms exist, this pattern will continue. Commercial spyware vendors will keep developing and selling surveillance tools. Government clients will deploy those tools against chosen targets. Occasionally, security researchers will discover and expose these operations. And the cycle will repeat.

Organizations and individuals who might be targeted should assume commercial spyware represents part of the threat landscape they face. Defensive measures cannot guarantee protection against zero-day exploits and sophisticated surveillance tools, but layered security makes attacks more difficult and expensive to execute.

The commercial spyware industry thrives in the shadows. Every leak like the 2015 Hacking Team breach, every disclosure like Kaspersky's Dante research, brings more light to these operations. That transparency may be the best tool available for pressuring the industry toward more responsible practices.