In the dark web of espionage, tools rarely stay loyal to their origin. What begins as a product of one nation’s intelligence market often drifts into the hands of its adversaries — reshaped, rebranded, and reactivated. That appears to be the case once again.
This week, Russian cybersecurity analysts uncovered a series of targeted intrusions involving Dante, a highly sophisticated spyware framework engineered by Memento Labs, an Italian surveillance firm previously known as the notorious Hacking Team. The malware, long marketed to state agencies under the banner of “lawful interception,” has resurfaced deep inside compromised networks in Russia and Belarus — two countries rarely on the receiving end of Western surveillance tech.
The discovery, made by researchers examining the activity of a threat group identified as ForumTroll, reveals what appears to be the first confirmed field use of Dante since it was quietly introduced to intelligence buyers in 2023.
THE BREACH IN THE SPYWARE SUPPLY CHAIN
The analysis traces ForumTroll’s activity back to early 2025, when the group began a series of espionage attacks targeting Russian media, universities, research centers, and government institutions.
The phishing lures carried a familiar social engineering signature: invitations to a prestigious scientific forum — the kind of deception designed to appear routine within the Russian academic ecosystem.
Victims who clicked the forged links were silently redirected to a malicious server exploiting a zero-day vulnerability in Google Chrome, later cataloged as CVE-2025-2783. That exploit chain provided an entry point, leading researchers to a trail of modular implants and post-exploitation tools. Among them, the analysts uncovered LeetAgent, a loader used as a bridge to deploy the far more complex Dante framework.
While not every ForumTroll campaign included Dante, forensic cross-matching revealed its presence in parallel operations — strongly suggesting the spyware was rented or brokered, possibly through an intermediary, and integrated into the group’s broader toolset.
What makes this case remarkable is not just the target region but the geopolitical inversion: Italian-made commercial spyware deployed inside sanctioned Eurasian systems, either by foreign operatives or by actors with access to Western surveillance supply lines.
THE RESURRECTION OF A CONTROVERSIAL NAME
For those who followed the old Hacking Team, the reemergence of their code lineage carries historical weight.
A decade ago, Hacking Team was one of Europe’s most controversial cyber firms, selling its Remote Control Systems (RCS) platform to governments across Saudi Arabia, Egypt, Kazakhstan, Mexico, and Hungary — nations later accused of using the spyware to suppress dissent and target journalists.
The company’s reputation imploded in 2015 after an internal data breach exposed its client list, internal communications, and source code to the public. The scandal revealed an industry operating in the shadows, where “lawful intercept” often blurred into political espionage.
After the leak, the firm was acquired and rebranded as Memento Labs, based in Milan. Despite public scrutiny, its marketing never stopped — the firm continued promoting its “intelligence solutions” to state clients under stricter discretion. The Dante platform, unveiled privately in 2023, represented the company’s next-generation surveillance suite, designed to bypass modern endpoint detection systems, infiltrate encrypted messaging apps, and persist across reboots with forensic stealth.
The fact that such a system now appears inside Russian and Belarusian infrastructures speaks to a deeper problem in the global espionage economy: once released, code doesn’t retire — it migrates.
THE SHADOW NETWORK CALLED FORUMTROLL
The hacking collective ForumTroll has been active for several years, balancing between financially motivated phishing and politically aligned espionage. Researchers describe the group’s communication style as fluent in Russian but not native — a clue suggesting cross-border coordination or contracted operations under linguistic disguise.
ForumTroll’s hallmark is familiarity with local institutions and event calendars, often using precise cultural context in its lures. Yet operational mistakes — inconsistent Cyrillic formatting, timezone mismatches, and Western language structure in payloads — betray foreign operators.
The group’s evolving toolkit now includes LeetAgent, Dante’s possible loader, active since at least 2022. LeetAgent establishes persistence, captures telemetry, and enables secondary payload retrieval through encrypted command channels. Once Dante is deployed, the infection escalates dramatically — full system access, microphone activation, exfiltration of credentials, browser data, and local file mapping.
Analysts remain uncertain whether ForumTroll rented Dante directly from Memento Labs or obtained it through an intermediary market. Either way, the tool’s appearance in these operations signifies that commercial spyware has crossed another frontier — into sanctioned states once thought isolated from Western surveillance ecosystems.
EUROPE’S LONG SHADOW IN CYBER WARFARE
The use of Western-developed spyware in Eastern networks illustrates an uncomfortable reality for global cybersecurity: the market for digital espionage has no borders, only buyers.
European companies continue to build intrusion frameworks under export control loopholes, licensing to “authorized law enforcement” while relying on intermediaries to obscure end users. Once the binaries are in circulation, tracking them is nearly impossible.
Italy, Spain, Israel, and the UK host some of the most advanced private surveillance developers in the world.
Despite sanctions, many of their products eventually appear in regions far outside their intended scope — through resale, theft, or unacknowledged cooperation between state intelligence proxies.
This discovery aligns with a growing pattern seen across 2024–2025: the privatization of espionage, where intelligence-grade tools move fluidly between corporations, contractors, and shadow-state actors. Dante’s arrival in Russian and Belarusian systems may not mark an act of aggression, but it exposes the uncontrollable momentum of an industry that trades invisibility as its currency.
TRJ VERDICT
This is not espionage as it once was — this is commerce in chaos.
The presence of Italian-engineered spyware inside Russian and Belarusian networks doesn’t symbolize infiltration; it exposes how the global surveillance trade has become borderless.
The same code once branded as “lawful intercept” now slips through proxies into the hands of foreign operators who pay for access and weaponize it under new flags.
Every cycle of outrage, rebranding, and reemergence pushes the line further away from accountability. What began as a European export for counterterrorism has evolved into an untraceable digital arms trade — one where law enforcement, corporate brokers, and mercenary hackers occupy the same ecosystem.
When spyware built in Milan can operate deep within Moscow’s networks, the illusion of sovereignty in cyberspace dissolves. Nations are no longer protected by their borders, and neither are their secrets.
— TRJ News
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
It’s hard for me to say this is bad news except that it may come back to bite Western nations in some way. Keeping Russia busy with things like this give them less time to be on the attack. I think it would be great to keep them very busy.
Maybe I’m wrong and you can correct my attitude on this, John.
You’re right, Chris — and you’re welcome. That’s a fair perspective. Distraction in cyber warfare does have its appeal; if a hostile state is busy defending its own systems, that’s less bandwidth to launch external attacks. But the trade-off is risk — every digital strike, no matter how justified it seems, opens the door for escalation.
The problem is, once the lines blur between offensive containment and retaliatory disruption, the whole cyber domain becomes a self-feeding loop. These tactics may slow aggression in the short term, but in the long run they normalize intrusion as strategy — and that’s a cycle that eventually turns inward.
I completely understand where you’re coming from, and you’re not wrong to think that keeping adversaries occupied has its advantages. It just has to be managed with restraint — because once cyber conflict becomes routine, everyone’s system becomes fair game.
Appreciate your honesty, as always, Chris. I hope you have a great night and day ahead. 😎
Thank you for sharing your take on this, John. I hope the U.S. isn’t involved in such tactics as I’m assuming things like this are illegal. Still, thanks for understanding my thinking here. I do think the U.S. should create as much of a defensive posture as possible and any attacks we are responsible for must be because of something very important, like national security.
I can see where attacking just to create enough chaos to keep another nation busy might create an all out (worse than it is now) cyberwar. I suppose the U.S. should set a good example and focus on defenses.
Thank you for your thoughts. I hope you have a great day!