CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware

On Monday, researchers astatine cybersecurity elephantine Kaspersky published a report identifying a caller spyware called Dante that they accidental targeted Windows victims successful Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance tech shaper that was formed successful 2019 aft a caller proprietor acquired and took over aboriginal spyware shaper Hacking Team.

Memento main enforcement Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does so beryllium to Memento.

In a call, Lezzi blamed 1 of the company’s authorities customers for exposing Dante, saying the lawsuit utilized an outdated mentation of the Windows spyware that volition nary longer beryllium supported by Memento by the extremity of this year. 

“Clearly they utilized an cause that was already dead,” Lezzi told TechCrunch, referring to an “agent” arsenic the method connection for the spyware planted connected the target’s computer.

“I thought [the authorities customer] didn’t adjacent usage it anymore,” said Lezzi. 

Lezzi, who said helium was not definite which of the company’s customers were caught, added that Memento had already requested that each of its customers halt utilizing the Windows malware. Lezzi said the institution had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to nonstop a connection to each its customers connected Wednesday asking them erstwhile again to halt utilizing its Windows spyware.

He besides said that Memento presently lone develops spyware for mobile platforms. The institution besides develops immoderate zero-days — meaning information flaws successful bundle chartless to the vendor that tin beryllium utilized to present spyware — though, the institution mostly sources its exploits from extracurricular developers, according to Lezzi. 

When reached by TechCrunch, Kaspersky spokesperson Mai Al Akka would not accidental which authorities Kaspersky believes is down the espionage campaign, but that it was “someone who has been capable to usage Dante software.”

“The radical stands retired for its beardown bid of Russian and cognition of section nuances, traits that Kaspersky observed successful different campaigns linked to this [government-backed] threat. However, occasional errors suggest that the attackers were not autochthonal speakers,” Al Akka told TechCrunch.

In its caller report, Kaspersky said it recovered a hacking radical utilizing the Dante spyware that it refers to arsenic “ForumTroll,” describing the targeting of radical with invites to Russian authorities and economics forum Primakov Readings. Kaspersky said the hackers targeted a wide scope of industries successful Russia, including media outlets, universities, and authorities organizations. 

Kaspersky’s find of Dante came aft the Russian cybersecurity steadfast said it detected a “wave” of cyberattacks with phishing links that were exploiting a zero-day successful the Chrome browser. Lezzi said that the Chrome zero-day was not developed by Memento. 

In its report, Kaspersky researchers concluded that Memento “kept improving” the spyware primitively developed by Hacking Team until 2022, erstwhile the spyware was “replaced by Dante.” 

Lezzi conceded that it is imaginable that immoderate “aspects” oregon “behaviors” of Memento’s Windows spyware were near implicit from spyware developed by Hacking Team.

A telltale motion that the spyware caught by Kaspersky belonged to Memento was that the developers allegedly near the connection “DANTEMARKER” successful the spyware’s code, a wide notation to the sanction Dante, which Memento had antecedently and publically disclosed astatine a surveillance tech conference, per Kaspersky. 

Much similar Memento’s Dante spyware, immoderate versions of Hacking Team’s spyware, codenamed Remote Control System, were named aft humanities Italian figures, specified arsenic Leonardo Da Vinci and Galileo Galilei.

A past of hacks

In 2019, Lezzi purchased Hacking Team and rebranded it to Memento Labs. According to Lezzi, helium paid lone 1 euro for the institution and the program was to commencement over. 

“We privation to alteration perfectly everything,” the Memento proprietor told Motherboard aft the acquisition successful 2019. “We’re starting from scratch.”

A twelvemonth later, Hacking Team’s CEO and laminitis David Vincenzetti announced that Hacking Team was “dead.”

When helium acquired Hacking Team, Lezzi told TechCrunch that the institution lone had 3 authorities customers remaining, a acold outcry from the much than 40 authorities customers that Hacking Team had successful 2015. That aforesaid year, a hacktivist called Phineas Fisher broke into the startup’s servers and siphoned off immoderate 400 gigabytes of interior emails, contracts, documents, and the root codification for its spyware.

Before the hack, Hacking Team’s customers successful Ethiopia, Morocco, and the United Arab Emirates were caught targeting journalists, critics, and dissidents utilizing the company’s spyware. Once Phineas Fisher published the company’s interior information online, journalists revealed that a Mexican determination authorities utilized Hacking Team’s spyware to people section politicians, and that Hacking Team had sold to countries with quality rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.

Lezzi declined to archer TechCrunch however galore customers Memento presently has, but implied it was less than 100 customers. He besides said that determination are lone 2 existent Memento employees near from Hacking Team’s erstwhile staff.

The find of Memento’s spyware shows that this benignant of surveillance exertion keeps proliferating, according to John Scott-Railton, a elder researcher who has investigated spyware abuses for a decennary astatine the University of Toronto’s Citizen Lab. It besides shows

Also that a arguable institution tin dice due to the fact that of a spectacular hack and respective scandals, and yet a caller institution with marque caller spyware tin inactive travel retired of its ashes, 

“It tells america that we request to support up the fearfulness of consequences,” Scott-Railton told TechCrunch. “It says a batch that echoes of the astir radioactive, embarrassed and hacked marque are inactive around.”