Full Report
Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.
Analysis Summary
# Threat Actor: ForumTroll APT
## Attribution & Identity
* **Primary Identification:** ForumTroll APT.
* **Known Association:** Linked to the development and use of the commercial spyware **Dante**.
* **Developer Link:** Dante spyware was developed by **Memento Labs** (formerly known as Hacking Team).
## Activity Summary
The primary activity highlighted is the discovery of the previously unidentified commercial Dante spyware developed by Memento Labs, and its subsequent linkage to operations attributed to the ForumTroll APT.
## Tactics, Techniques & Procedures
* The article focuses on the **Tool/Malware** used (Dante spyware) rather than specific execution TTPs, though the use of commercial spyware implies specialized surveillance and exfiltration capabilities.
* *Note: Specific MITRE ATT&CK IDs are not provided in the context but would relate to surveillance and command/control if fully detailed.*
## Targeting
* **Sectors:** Not explicitly detailed in the summary context.
* **Geography:** Not explicitly detailed in the summary context.
* **Victims:** Not explicitly detailed in the summary context.
## Tools & Infrastructure
* **Malware families used:** Dante spyware (Commercial product developed by Memento Labs/Hacking Team).
* **Infrastructure:** No specific C2 infrastructure (domains, IPs) is detailed in the provided context for ForumTroll APT operations using Dante.
## Implications
The linkage between a known commercial surveillance vendor (Memento Labs/Hacking Team) and an APT group (ForumTroll) suggests that politically or financially motivated actors are using sophisticated, off-the-shelf surveillance tools for espionage purposes.
## Mitigations
* Defense should focus on detecting and analyzing the forensic artifacts associated with the **Dante spyware** modules once indicators are publicly released.
* Vigilance against spear-phishing or exploitation chains that would deliver this professional-grade spyware.