On Monday, cybersecurity firm Kaspersky released findings on a newly discovered spyware named Dante, which reportedly targeted Windows systems in Russia and neighboring Belarus. According to the researchers, Dante was developed by Memento Labs, a surveillance technology company based in Milan that emerged in 2019 after acquiring the assets of the earlier spyware developer Hacking Team.
Paolo Lezzi, CEO of Memento, confirmed to TechCrunch that the spyware identified by Kaspersky is indeed a product of Memento.
During a phone conversation, Lezzi attributed the exposure of Dante to one of their government clients, stating that the client had deployed an outdated version of the Windows spyware, which Memento plans to discontinue support for by year’s end.
“They were clearly using an agent that was already obsolete,” Lezzi explained to TechCrunch, using “agent” as the technical term for the spyware installed on a victim’s device.
“I actually thought [the government client] had stopped using it,” Lezzi remarked.
Lezzi, who mentioned he was unsure which specific clients were involved, also noted that Memento had already instructed all its clients to cease using the Windows malware. He said the company had warned its customers since December 2024 that Kaspersky had detected Dante infections. Memento intends to remind all clients again on Wednesday to discontinue use of the Windows spyware.
He further stated that Memento now focuses solely on developing spyware for mobile devices. The company also works with zero-day vulnerabilities—security flaws unknown to software vendors that can be exploited to install spyware—though Lezzi said most of these exploits are sourced from external developers.
When contacted by TechCrunch, Kaspersky spokesperson Mai Al Akka declined to specify which government might be behind the spying operation, only stating that it was “an entity capable of utilizing Dante software.”
“This group is notable for its strong command of Russian and familiarity with local context, which Kaspersky has seen in other [state-sponsored] operations. However, occasional mistakes indicate the attackers are not native speakers,” Al Akka told TechCrunch.
Kaspersky’s latest report describes a hacking group it calls “ForumTroll” using Dante spyware to target individuals invited to the Primakov Readings, a Russian political and economic forum. The hackers reportedly attacked a wide array of sectors in Russia, including media, academia, and government agencies.
Kaspersky discovered Dante after detecting a surge of cyberattacks using phishing links that exploited a Chrome browser zero-day vulnerability. Lezzi clarified that Memento was not responsible for developing the Chrome zero-day exploit.
Kaspersky’s report notes that Memento continued to enhance the spyware originally created by Hacking Team until 2022, at which point Dante replaced it.
Lezzi acknowledged that certain features or behaviors in Memento’s Windows spyware may have been inherited from Hacking Team’s earlier products.
A key indicator that the spyware identified by Kaspersky was linked to Memento was the presence of the term “DANTEMARKER” in its code—a direct nod to the Dante name, which Memento had previously revealed at a surveillance technology event, according to Kaspersky.
Similar to Dante, some versions of Hacking Team’s spyware, known as Remote Control System, were named after notable Italian historical figures like Leonardo Da Vinci and Galileo Galilei.
A history of hacks
In 2019, Lezzi acquired Hacking Team and rebranded it as Memento Labs. He told reporters that he paid just one euro for the company, with the intention of starting anew.
“We intend to overhaul everything,” Lezzi told Motherboard after the acquisition in 2019. “We’re beginning from the ground up.”
A year later, Hacking Team’s founder and CEO David Vincenzetti declared the company “dead.”
After acquiring Hacking Team, Lezzi told TechCrunch that only three government clients remained, a significant drop from the more than 40 government customers the company had in 2015. That same year, hacktivist Phineas Fisher breached the company’s servers, stealing around 400 gigabytes of internal emails, contracts, documents, and spyware source code.
Prior to the breach, Hacking Team’s spyware had been used by clients in Ethiopia, Morocco, and the United Arab Emirates to target journalists, critics, and dissidents. Following the leak of internal data by Phineas Fisher, journalists uncovered that a regional government in Mexico used the spyware against local politicians, and that Hacking Team had sold its tools to countries with poor human rights records, such as Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to disclose the current number of Memento’s clients to TechCrunch, but suggested it is fewer than 100. He also mentioned that only two former Hacking Team employees remain at Memento.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has spent a decade studying spyware misuse, said the emergence of Memento’s spyware demonstrates the ongoing spread of surveillance technology. He added
It also illustrates that even after a company collapses due to a major hack and multiple scandals, a new firm with fresh spyware can still rise from its remains,
“This shows us the importance of maintaining accountability,” Scott-Railton told TechCrunch. “It’s telling that the legacy of such a notorious, compromised, and breached brand continues to persist.”
