APT
Our experts from the Kaspersky Global Research and Analysis Team (GReAT) reconstructed the chain of infection used in attacks by the ForumTroll APT group. During their investigation, they discovered that the tools used by ForumTroll were also used to distribute the commercial malware Dante. Boris Larin gave a detailed presentation on this research at the Security Analyst Summit 2025 conference in Thailand.
What is ForumTroll APT, and how does it operate?
In March, our technologies detected a wave of infections of Russian companies with previously unknown sophisticated malware. The attacks used short-lived web pages that exploited the CVE-2025-2783 zero-day vulnerability in Google Chrome. The attackers sent emails to employees of media, government, educational, and financial institutions in Russia, inviting them to participate in the Primakov Readings scientific and expert forum, which is why the campaign was given the catchy name “Forum Troll” and the group behind it was named ForumTroll. When the link in the email was clicked, the device was infected with malware. The malware used by the attackers was named LeetAgent because it received commands from the control server in Leet modified spellings.
After the initial publication, GReAT experts continued to investigate ForumTroll’s activity. In particular, they found several more attacks by the same group on organizations and individuals in both Russia and Belarus. In addition, while searching for attacks that used LeetAgent, they discovered cases of other, much more sophisticated malware being used.
What is Dante and what does HackingTeam have to do with it?
The malware found had a modular structure, used module encryption with keys unique to each victim, and self-destructed after a certain period of time if no commands from the control server were received. But most interesting of all, our researchers managed to identify it as commercial spyware called Dante, developed by the Italian company Memento Labs – formerly known as Hacking Team.
HackingTeam was one of the pioneers of commercial spyware. But in 2015, the company’s own infrastructure was hacked and a significant portion of its internal documentation – including the source code for its commercial spyware – was published online. After that, the company was sold and renamed Memento Labs.
You can read more about what Dante malware can do, and how our experts figured out that it was indeed Dante in the Securelist blogpost. You can also find the corresponding indicators of compromise there.
How to stay safe
Initially, attacks using LeetAgent were detected using our XDR solution. In addition, details of this research, as well as information about the ForumTroll group and the Dante spyware that we’ll learn in the future, will be available to subscribers of our APT threat data service on the Threat Intelligence Portal.
Tips