On Monday, researchers at cybersecurity giant Kaspersky published a report identifying a new spyware called Dante that they say is targeting Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance technology maker that was formed in 2019 after a new owner acquired and took over early spyware maker Hacking Team.
Memento CEO Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.
In a call, Lezzi blamed one of the company’s government customers for exposing Dante, saying the customer was using an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year.
“Obviously they were using an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for the spyware planted on the target’s computer.
I thought [the government customer] didn’t even use it anymore,” Lezzi said.
Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already requested that all of its customers stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had been detecting Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using their Windows spyware.
He also said that Memento currently only develops spyware for mobile platforms. The company also develops some zero-days — meaning security flaws in software unknown to the vendor that can be used to deliver spyware — although the company mostly sources its exploits from outside developers, according to Lezzi.
Contact us
Do you have more information about Memento Labs? Or other spyware manufacturers? From a device that is not working, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akka would not say which government Kaspersky believes is behind the spying campaign, but that it was “someone who has been able to use Dante software.”
“The group stands out for its strong command of Russian and knowledge of local nuances, traits Kaspersky observed in other campaigns related to this [government-backed] threat. But occasional bugs suggest the attackers weren’t native, Al Akka told TechCrunch.
In its new report, Kaspersky said it found a hacker group using the Dante spyware it refers to as “ForumTroll,” describing the targeting of people with invitations to Russian politics and economics forum Primakov Readings. Kaspersky said the hackers targeted a wide range of industries in Russia, including media, universities and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it detected a “wave” of cyberattacks with phishing links that exploited a zero-day in the Chrome browser. Lezzi said Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento “continued to improve” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lezzi admitted that it is possible that some “aspects” or “behaviors” of Memento’s Windows spyware were left over from spyware developed by Hacking Team.
A telltale sign that the spyware caught by Kaspersky belonged to Memento was that the developers allegedly left the word “DANTEMARKER” in the spyware’s code, a clear reference to the name Dante, which Memento had previously and publicly revealed at a tech monitoring conference, according to Kaspersky.
Like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures such as Leonardo Da Vinci and Galileo Galilei.
A history of hacks
In 2019, Lezzi bought Hacking Team and renamed it Memento Labs. According to Lezzi, he only paid one euro for the company and the plan was to start over.
“We’re going to change absolutely everything,” the Memento owner told Motherboard after the acquisition in 2019. “We’re starting from scratch.”
A year later, Hacking Team CEO and founder David Vincenzetti announced that Hacking Team was “dead”.
When he bought Hacking Team, Lezzi told TechCrunch the company had only three government clients left, a far cry from the 40-plus government clients Hacking Team had in 2015. That same year, a hacktivist named Phineas Fisher broke into the startup’s servers and siphoned off about 400 gigabytes of internal emails, spyware and source code.
Prior to the hack, Hacking Team’s clients in Ethiopia, Morocco and the United Arab Emirates were caught targeting journalists, critics and dissidents using the company’s spyware. When Phineas Fisher published the company’s internal data online, reporters revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians, and that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has, but suggested it was fewer than 100 customers. He also said that only two current Memento employees remain from Hacking Team’s former employees.
The discovery of Memento’s spyware shows that this type of surveillance technology continues to spread, according to John Scott-Railton, a senior researcher who has studied spyware abuse for a decade at the University of Toronto’s Citizen Lab. It also turns out
Also that a controversial company can die due to a spectacular hack and several scandals and yet a new company with brand new spyware can still rise from its ashes,
“It tells us to maintain the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that echoes of the most radioactive, embarrassing and hackneyed brand still exist.”