A recent cybersecurity investigation by Kaspersky has unveiled a sophisticated spyware operation, dubbed "Dante," targeting Windows users in Russia and neighboring Belarus. The revelation has drawn immediate attention to Memento Labs, a Milan-based surveillance technology firm, whose CEO, Paolo Lezzi, has confirmed that the detected malware indeed originates from his company. This incident reignites concerns about the pervasive use and potential misuse of commercial surveillance tools, especially given Memento Labs’ controversial lineage from the notorious Hacking Team.

Unmasking the Dante Spyware

Kaspersky, a global cybersecurity powerhouse known for its extensive threat intelligence, released a detailed report earlier this week outlining its findings. The report pinpointed "Dante" as a potent Windows-based spyware designed to covertly infiltrate target systems. Researchers noted distinct characteristics of the malware, including the deliberate embedding of the string "DANTEMARKER" within its code—a clear identifier that Memento Labs had previously associated with its products at industry conferences. This digital signature provided a crucial link, allowing Kaspersky to attribute the spyware to the Italian firm.

The targets of the Dante spyware, according to Kaspersky’s analysis, were diverse and strategically significant. The "ForumTroll" hacking group, identified as the orchestrators of these attacks, specifically leveraged invitations to the "Primakov Readings," a prominent forum on Russian politics and economics, as a lure. This tactic suggests a high degree of geopolitical awareness and a focus on individuals with access to sensitive information. Affected sectors reportedly included media organizations, academic institutions, and various government entities within Russia and Belarus, indicating a broad intelligence-gathering objective. Kaspersky spokesperson Mai Al Akka commented that the group demonstrated a strong command of Russian and familiarity with local nuances, although occasional linguistic errors hinted that the attackers might not be native speakers.

Memento Labs’ Response and a Blame Game

Following Kaspersky’s publication, Memento Labs’ chief executive, Paolo Lezzi, acknowledged the findings, confirming the spyware’s provenance. However, his explanation shifted responsibility to one of Memento Labs’ unnamed government clients. Lezzi asserted that the customer in question had deployed an outdated version of the Windows spyware, a variant that Memento Labs intends to discontinue support for by the end of the current year. "Clearly they used an agent that was already dead," Lezzi stated, referring to the technical term for the spyware installed on a target’s computer. He expressed surprise, adding, "I thought [the government customer] didn’t even use it anymore."

Lezzi further indicated that Memento Labs had proactively advised its clientele to cease using the Windows malware since December 2024, following initial detections by Kaspersky. He announced plans to issue another message to all customers, reinforcing the directive to discontinue the use of its Windows spyware. This ongoing communication suggests a struggle for control over deployed tools and raises questions about the lifecycle management of sophisticated surveillance technology once it leaves the vendor’s hands. Lezzi also clarified that Memento Labs primarily focuses on developing spyware for mobile platforms and typically sources exploits, including zero-days—critical software vulnerabilities unknown to vendors that can be exploited to deliver malware—from external developers rather than creating them in-house. He specifically denied Memento Labs’ involvement in a recent Chrome zero-day exploit that Kaspersky had detected as part of the initial wave of attacks.

The Shadow of Hacking Team: A Troubled Legacy

The emergence of Memento Labs’ Dante spyware is particularly notable due to the company’s direct ties to Hacking Team, a notorious predecessor in the commercial surveillance industry. Hacking Team, founded in Milan, gained international infamy for developing and selling "Remote Control System" (RCS) spyware, often branded with names of Italian historical figures like "Leonardo" and "Galileo." For years, human rights organizations and cybersecurity researchers, most notably the University of Toronto’s Citizen Lab, documented how Hacking Team’s tools were allegedly sold to governments with questionable human rights records and subsequently used to target journalists, dissidents, and political opponents worldwide.

A pivotal moment in Hacking Team’s history occurred in 2015 when a hacktivist operating under the pseudonym Phineas Fisher breached the company’s servers. This audacious cyberattack resulted in the leak of over 400 gigabytes of internal data, including emails, contracts, and the source code for its spyware. The leak exposed the full extent of Hacking Team’s client list, revealing sales to countries like Ethiopia, Morocco, the United Arab Emirates, Bangladesh, Saudi Arabia, and Sudan—many of which were widely condemned for human rights abuses. The fallout was catastrophic, leading to a dramatic decline in the company’s reputation and customer base. From over 40 government clients in 2015, the number dwindled significantly.

In 2019, Paolo Lezzi acquired the remnants of Hacking Team for a symbolic sum of one euro, rebranding it as Memento Labs. His stated intention at the time was to "start from scratch" and "change absolutely everything," a clear effort to distance the new entity from its predecessor’s tainted image. A year later, Hacking Team’s founder, David Vincenzetti, officially declared the company "dead." Despite this stated fresh start, Kaspersky’s research suggests a more nuanced continuity. Their report concluded that Memento Labs "kept improving" Hacking Team’s original spyware until 2022, when it was eventually "replaced by Dante." Lezzi himself conceded that "aspects" or "behaviors" of Memento’s Windows spyware might have carried over from Hacking Team’s earlier developments, acknowledging the difficulty of completely severing ties to legacy codebases and methodologies.

The Broader Surveillance Industry and its Implications

The Memento Labs incident underscores the enduring challenges posed by the commercial surveillance technology market. This industry operates in a murky legal and ethical landscape, where tools designed for legitimate law enforcement and national security purposes can easily be repurposed for political repression, espionage against civil society, or human rights abuses. The demand for sophisticated digital surveillance capabilities by state actors globally continues to fuel this market, creating an environment where companies like Memento Labs can thrive, even after past scandals.

The "dual-use" nature of these technologies makes regulation exceptionally difficult. While governments argue for the necessity of such tools to combat terrorism and serious crime, the absence of robust oversight mechanisms often leads to their deployment against dissenting voices, journalists, and human rights defenders. The constant evolution of spyware, from desktop to mobile platforms and the continuous search for new zero-day exploits, signifies an ongoing arms race between cybersecurity defenders and those who seek to exploit digital vulnerabilities. The proliferation of these tools contributes to a global erosion of digital privacy and security, impacting democratic processes and individual freedoms.

The Persistence of Digital Espionage

John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, an organization that has extensively investigated spyware abuses for over a decade, provided a critical perspective on the recent developments. He highlighted that the discovery of Memento Labs’ spyware serves as a stark reminder of the relentless proliferation of such surveillance technology. It demonstrates that even a company brought low by a spectacular hack and multiple scandals can rise from the ashes under new branding, developing new spyware.

"It tells us that we need to keep up the fear of consequences," Scott-Railton commented, emphasizing the importance of accountability and continuous scrutiny. He added, "It says a lot that echoes of the most radioactive, embarrassed, and hacked brand are still around." This sentiment reflects a broader concern among cybersecurity experts and human rights advocates: despite increased public awareness and legislative efforts in some regions, the market for offensive cyber capabilities remains robust, driven by persistent demand and the relative anonymity afforded by the digital realm. The Memento Labs case illustrates that the cycle of surveillance technology development, deployment, detection, and controversy is far from over, continually challenging the boundaries of privacy and national security in the digital age.