On Monday, researchers from cybersecurity giant Kaspersky published a report identifying new spyware called Dante that they say targeted Windows victims in Russia and neighboring Belarus. Researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance technology maker that was formed in 2019 after a new owner acquired and took over Hacking Team, one of the first spyware manufacturers.
Memento CEO Paolo Lezzi confirmed to TechCrunch that the spyware detected by Kaspersky does indeed belong to Memento.
In a call, Lezzi blamed one of the company’s government clients for exposing Dante, saying the client used an outdated version of Windows spyware that Memento will no longer support later this year.
“They clearly used an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for spyware placed on the target’s computer.
“I thought [the government customer] “I didn’t even use it anymore,” Lezzi said.
Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already requested that all of its customers stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using its spyware for Windows.
He also said that Memento currently only develops spyware for mobile platforms. The company also develops some zero-days, that is, security flaws in software unknown to the vendor that can be used to deliver spyware, although, according to Lezzi, the company primarily sources its exploits from third-party developers.
Contact us
Do you have more information about Memento Labs? Or other spyware manufacturers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email.
When contacted by TechCrunch, Kaspersky spokesperson Mai Al Akka would not say which government Kaspersky believes is behind the spying campaign, but that it was “someone who may have used the Dante software.”
“The group stands out for its strong command of Russian and knowledge of local nuances, traits that Kaspersky observed in other campaigns linked to this [government-backed] threat. However, occasional errors suggest that the attackers were not native speakers,” Al Akka told TechCrunch.
In its new report, Kaspersky said it found a group of hackers using Dante spyware it refers to as “ForumTroll,” which describes how to attack people with invitations to the Russian politics and economics forum. Primakov readings. Kaspersky said the hackers targeted a wide range of industries in Russia, including media outlets, universities and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it detected a “wave” of cyberattacks with phishing links exploiting a day zero in the Chrome browser. Lezzi said that Chrome zero-day was not developed by Memento.
In their report, Kaspersky researchers concluded that Memento “continued to improve” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lezzi admitted that some “aspects” or “behaviors” of Memento Windows spyware may have been left over from the spyware developed by Hacking Team.
A telltale sign that the spyware captured by Kaspersky belonged to Memento was that the developers allegedly left the word “DANTEMARKER” in the spyware code, a clear reference to the name Dante, which Memento had previously publicly revealed at a surveillance technology conference, according to Kaspersky.
Like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after Italian historical figures, such as Leonardo Da Vinci and Galileo Galilei.
A history of hacks
In 2019, Lezzi bought Hacking Team and renamed it Memento Labs. According to Lezzi, he paid only one euro for the company and the plan was to start over.
“We want to change absolutely everything,” the owner of Memento said Motherboard after the acquisition in 2019. “We started from scratch.”
A year later, Hacking Team CEO and founder David Vincenzetti announced that Hacking Team was “dead.”
When it acquired Hacking Team, Lezzi told TechCrunch that the company only had three government clients left, a far cry from the more than 40 government clients Hacking Team had in 2015. That same year, a hacktivist named Phineas Fisher broke into the startup’s servers and diverted about 400 gigabytes of internal emails, contracts, documents and the source code of their spyware.
Before the hack, Hacking Team clients in Ethiopia, Moroccoand the United Arab Emirates were caught targeting journalists, critics and dissidents using the company’s spyware. Once Phineas Fisher posted the company’s internal data online, journalists revealed that a Mexican regional government used Hacking Team’s spyware to attack local politicians, and that Hacking Team had sold it to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has, but implied it was fewer than 100 customers. He also said that only two current Memento employees remain from the former Hacking Team staff.
The discovery of Memento spyware shows that this type of surveillance technology continues to proliferate, according to John Scott-Railton, a senior researcher who has investigated spyware abuses for a decade at the University of Toronto’s Citizen Lab. It also shows
Also that a controversial company can die from a spectacular hack and several scandals, and yet a new company with completely new spyware can still rise from the ashes,
“It tells us to maintain fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that there are still echoes of the most radioactive, shameful and pirated brand.”
