On Monday, researchers at cybersecurity big Kaspersky printed a report figuring out a brand new adware referred to as Dante that they are saying focused Home windows victims in Russia and neighboring Belarus. The researchers mentioned the Dante adware is made by Memento Labs, a Milan-based surveillance tech maker that was shaped in 2019 after a brand new proprietor acquired and took over early adware maker Hacking Crew.
Memento chief govt Paolo Lezzi confirmed to TechCrunch that the adware caught by Kaspersky does certainly belong to Memento.
In a name, Lezzi blamed one of many firm’s authorities clients for exposing Dante, saying the shopper used an outdated model of the Home windows adware that may not be supported by Memento by the top of this 12 months.
“Clearly they used an agent that was already lifeless,” Lezzi instructed TechCrunch, referring to an “agent” because the technical phrase for the adware planted on the goal’s laptop.
“I assumed [the government customer] didn’t even use it anymore,” mentioned Lezzi.
Lezzi, who mentioned he was undecided which of the corporate’s clients had been caught, added that Memento had already requested that each one of its clients cease utilizing the Home windows malware. Lezzi mentioned the corporate had warned clients that Kaspersky had detected Dante adware infections since December 2024. He added that Memento plans to ship a message to all its clients on Wednesday asking them as soon as once more to cease utilizing its Home windows adware.
He additionally mentioned that Memento at present solely develops adware for cell platforms. The corporate additionally develops some zero-days — that means safety flaws in software program unknown to the seller that can be utilized to ship adware — although, the corporate principally sources its exploits from exterior builders, in accordance with Lezzi.
Contact Us
Do you’ve extra details about Memento Labs? Or different adware makers? From a non-work gadget, you may contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram, Keybase and Wire @lorenzofb, or by electronic mail.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akka wouldn’t say which authorities Kaspersky believes is behind the espionage marketing campaign, however that it was “somebody who has been in a position to make use of Dante software program.”
“The group stands out for its sturdy command of Russian and information of native nuances, traits that Kaspersky noticed in different campaigns linked to this [government-backed] menace. Nonetheless, occasional errors counsel that the attackers weren’t native audio system,” Al Akka instructed TechCrunch.
In its new report, Kaspersky mentioned it discovered a hacking group utilizing the Dante adware that it refers to as “ForumTroll,” describing the concentrating on of individuals with invitations to Russian politics and economics discussion board Primakov Readings. Kaspersky mentioned the hackers focused a broad vary of industries in Russia, together with media retailers, universities, and authorities organizations.
Kaspersky’s discovery of Dante got here after the Russian cybersecurity agency mentioned it detected a “wave” of cyberattacks with phishing hyperlinks that had been exploiting a zero-day within the Chrome browser. Lezzi mentioned that the Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento “saved enhancing” the adware initially developed by Hacking Crew till 2022, when the adware was “changed by Dante.”
Lezzi conceded that it’s attainable that some “features” or “behaviors” of Memento’s Home windows adware had been left over from adware developed by Hacking Crew.
A telltale signal that the adware caught by Kaspersky belonged to Memento was that the builders allegedly left the phrase “DANTEMARKER” within the adware’s code, a transparent reference to the identify Dante, which Memento had beforehand and publicly disclosed at a surveillance tech convention, per Kaspersky.
Very like Memento’s Dante adware, some variations of Hacking Crew’s adware, codenamed Distant Management System, had been named after historic Italian figures, resembling Leonardo Da Vinci and Galileo Galilei.
A historical past of hacks
In 2019, Lezzi bought Hacking Crew and rebranded it to Memento Labs. In accordance with Lezzi, he paid just one euro for the corporate and the plan was to begin over.
“We wish to change completely the whole lot,” the Memento proprietor instructed Motherboard after the acquisition in 2019. “We’re ranging from scratch.”
A 12 months later, Hacking Crew’s CEO and founder David Vincenzetti introduced that Hacking Crew was “lifeless.”
When he acquired Hacking Crew, Lezzi instructed TechCrunch that the corporate solely had three authorities clients remaining, a far cry from the greater than 40 authorities clients that Hacking Crew had in 2015. That very same 12 months, a hacktivist referred to as Phineas Fisher broke into the startup’s servers and siphoned off some 400 gigabytes of inside emails, contracts, paperwork, and the supply code for its adware.
Earlier than the hack, Hacking Crew’s clients in Ethiopia, Morocco, and the United Arab Emirates had been caught concentrating on journalists, critics, and dissidents utilizing the corporate’s adware. As soon as Phineas Fisher printed the corporate’s inside knowledge on-line, journalists revealed {that a} Mexican regional authorities used Hacking Crew’s adware to focus on native politicians, and that Hacking Crew had bought to international locations with human rights abuses, together with Bangladesh, Saudi Arabia, and Sudan, amongst others.
Lezzi declined to inform TechCrunch what number of clients Memento at present has, however implied it was fewer than 100 clients. He additionally mentioned that there are solely two present Memento workers left from Hacking Crew’s former workers.
The invention of Memento’s adware reveals that the sort of surveillance know-how retains proliferating, in accordance with John Scott-Railton, a senior researcher who has investigated adware abuses for a decade on the College of Toronto’s Citizen Lab. It additionally reveals
Additionally {that a} controversial firm can die due to a spectacular hack and a number of other scandals, and but a brand new firm with model new adware can nonetheless come out of its ashes,
“It tells us that we have to sustain the concern of penalties,” Scott-Railton instructed TechCrunch. “It says rather a lot that echoes of essentially the most radioactive, embarrassed and hacked model are nonetheless round.”
