On Monday, researchers at cybersecurity giant Kaspersky published a report detecting a new spyware called Dante that they say was targeting Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance technology company created in 2019 after new owner acquired and took over early Hacking Team spyware maker.
Memento CEO Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.
In a call, Lezzi blamed one of the company’s government customers for the Dante disclosure, saying the customer used an outdated version of Windows spyware that will no longer be supported by Memento by the end of this year.
“Clearly they used an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for spyware placed on a target’s computer.
“I thought [the government customer] I wasn’t even using it anymore,” Lezzi said.
Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already asked all of its customers to stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using the Windows spyware.
He also said Memento currently only develops spyware for mobile platforms. The company also develops some zero-days — meaning security flaws in software unknown to the vendor that can be used to deliver spyware — but the company mostly sources its assets from outside developers, according to Lezzi.
Contact us
Do you have more information about Memento Labs? Or other spyware manufacturers? From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akka would not say which government Kaspersky believed was behind the spying campaign, but that it was “someone who was able to use the Dante software.”
“The team stands out for its strong command of the Russian language and knowledge of local nuances, features that Kaspersky has noticed in other related campaigns [government-backed] threatening. However, occasional errors suggest that the attackers were not native speakers,” Al Akka told TechCrunch.
In its new report, Kaspersky said it found a hacking group using Dante spyware referred to as “ForumTroll,” describing it targeting people with invitations to the Russian politics and economy forum. Readings Primakov. Kaspersky said the hackers targeted a wide range of industries in Russia, including media, universities and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it had detected a “wave” of cyberattacks with phishing links exploiting a day zero in the Chrome browser. Lezzi said Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento “continued to improve” on the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lezzi admitted that it’s possible that some “aspects” or “behaviors” of Memento’s Windows spyware are left over from spyware developed by Hacking Team.
A tell-tale sign that the spyware Kaspersky caught belonged to Memento was that developers allegedly left the word “DANTEMARKER” in the spyware’s code, a clear reference to the name Dante, which Memento had previously disclosed at a surveillance technology conference, according to Kaspersky.
Like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures such as Leonardo Da Vinci and Galileo Galilei.
History of hacks
In 2019, Lezzi bought Hacking Team and renamed it Memento Labs. According to Lezzi, he only paid one euro for the company and the plan was to start from scratch.
“We want to change absolutely everything,” said Memento’s owner he said Motherboard after the acquisition in 2019. “Starting from scratch”.
A year later, Hacking Team CEO and founder David Vincenzetti announced that Hacking Team he was “dead.”
When he acquired Hacking Team, Lezzi told TechCrunch that the company had only three government clients remaining, a far cry from the more than 40 government clients Hacking Team had in 2015. That same year, a hacktivist named Phineas Fisher broke into the launch servers and shut up approximately 400 gigabytes of internal emails, contracts, documents and the source code for its spyware.
Before the hack, Hacking Team clients enter Ethiopia, Moroccoand the United Arab Emirates were caught targeting journalists, critics and dissidents using the company’s spyware. Once Phineas Fisher published the company’s internal data online, the journalists revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians, and that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has, but hinted at fewer than 100 customers. He also said there are only two current Memento employees left from the former Hacking Team staff.
The Memento spyware discovery shows that this type of surveillance technology continues to proliferate, according to John Scott-Railton, a senior researcher who has investigated spyware abuses for a decade at the University of Toronto’s Citizen Lab. It also shows
Also that a controversial company can die because of a spectacular hack and many scandals, and yet a new company with brand new spyware can still rise from its ashes,
“It tells us that we have to maintain the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that the echoes of the most radioactive, embarrassing and hacked brand still exist.”
