Kaspersky researchers have identified a sophisticated malware campaign, dubbed Operation ForumTroll, targeting various organizations in Russia. This campaign is linked to Memento Labs, the successor company to the notorious surveillance technology firm Hacking Team. Alongside the campaign, researchers also discovered a new commercial spyware product developed by Memento Labs.
Operation ForumTroll has been actively targeting government bodies, media organizations, financial institutions, universities, and research centers. The primary objective of this advanced persistent threat (APT) campaign appears to be espionage, according to Kaspersky’s analysis released Monday. The attackers employed a cunning phishing strategy to initiate infections.
Operation ForumTroll and Memento Labs Unveiled
Hacking Team, a prominent player in surveillance technology, operated until 2019 before its acquisition and subsequent rebranding to Memento Labs. Kaspersky’s investigation revealed a wave of malware infections commencing in March, with origins tracing back to 2022 and direct ties to Memento Labs.
The infections were triggered when victims clicked on personalized phishing links sent via email. These links were cleverly disguised as invitations to the Primakov Readings, an international summit focused on global politics and economics. Simply visiting the compromised website was sufficient to initiate the malware, exploiting a zero-day vulnerability in Google Chrome, which has since been patched.
Meanwhile, Memento Labs did not immediately respond to requests for comment regarding these findings. The discovery of these activities could mark a significant development for Memento Labs, which reportedly faced challenges after its transition from Hacking Team.
The Dante Spyware Discovery
While analyzing the malware associated with Operation ForumTroll, Kaspersky researchers also uncovered a previously unknown commercial spyware product named “Dante,” developed by Memento Labs. Although not directly used in the ForumTroll campaign, Kaspersky observed its deployment in other attacks linked to the same threat group.
Kaspersky’s report indicates some overlapping indicators between the Operation ForumTroll campaign and the Dante spyware. These similarities include common file system paths, the utilization of the same persistence mechanisms, and data concealed within font files. Most critically, the researchers identified shared code across the exploit, loader, and the Dante spyware itself.
This latest revelation by Russia-headquartered Kaspersky is the second instance this month to highlight the intersection of spyware and Russian targets, following Zimperium’s earlier disclosure about the ClayRat malware. The findings underscore the evolving landscape of cyber espionage and commercial spyware development.
The ongoing investigation into these activities will likely focus on attributing the full scope of Memento Labs’ operations and understanding the extent of the Dante spyware’s deployment. Any further information from Kaspersky or other security researchers regarding shared infrastructure or new campaign details will be critical in assessing the total impact.