{"type":"rich","version":"1.0","provider_name":"Transistor","provider_url":"https://transistor.fm","author_name":"Daily Security Review","title":"Operation ForumTroll: Chrome Zero-Day Tied to Italian Spyware Developer Memento Labs","html":"<iframe width=\"100%\" height=\"180\" frameborder=\"no\" scrolling=\"no\" seamless src=\"https://share.transistor.fm/e/42f0917e\"></iframe>","width":"100%","height":180,"duration":2239,"description":"A newly uncovered cyber-espionage operation known as Operation ForumTroll has revealed the resurgence of commercial spyware in state-sponsored surveillance campaigns. According to new research from Kaspersky, the campaign exploited a Google Chrome zero-day vulnerability (CVE-2025-2783) and targeted Russian and Belarusian organizations in government, research, and media sectors. The attacks were traced to tools developed by Memento Labs, the Italian surveillance vendor formerly known as the Hacking Team, whose legacy spyware once sparked global controversy for being sold to authoritarian regimes.The operation began with highly tailored phishing emails disguised as invitations to the “Primakov Readings” — a major international policy forum — luring recipients into visiting short-lived malicious links. Once clicked, victims were redirected to a drive-by exploit that leveraged the Chrome sandbox escape vulnerability, allowing attackers to execute code on the underlying operating system. Kaspersky’s researchers later identified a similar flaw in Firefox (CVE-2025-2857), broadening the attack surface for the same threat actors.Once inside, the attackers deployed a dual-implant structure: a custom spyware loader named LeetAgent, and a far more advanced commercial implant called Dante, developed by Memento Labs. Both tools shared identical persistence mechanisms, specifically COM hijacking, a telltale indicator linking the two. While LeetAgent operated as a modular espionage platform capable of keylogging, code injection, and document theft, the Dante implant exhibited industrial-grade sophistication. Protected by VMProtect obfuscation, Dante was found to contain a central orchestrator module that decrypts and loads AES-encrypted payloads, all bound cryptographically to a specific victim machine—ensuring the spyware could not run elsewhere.Forensic analysis uncovered unmistakable evidence connecting Dante to Hacking Team’s legacy Remote Control Systems (RCS) spyware....","thumbnail_url":"https://img.transistorcdn.com/pL79_MJFeJHamQ_ztImsGmDSMdl27VMk_30TAkieujE/rs:fill:0:0:1/w:400/h:400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8yNzg5/ZjlhNzM5Y2M4Njli/NjkxNzgyODA2Nzhi/MDI2ZC5wbmc.webp","thumbnail_width":300,"thumbnail_height":300}