{ "id": "b22091af-693c-47e8-8fca-37973dd09e7d", "created_at": "2026-04-06T01:30:13.271907Z", "updated_at": "2026-04-10T03:36:47.777807Z", "deleted_at": null, "sha1_hash": "32e66e33d71d6351d0a2710e678d14d1370e88b1", "title": "Mem3nt0 mori – The Hacking Team is back!", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1814230, "plain_text": "Mem3nt0 mori – The Hacking Team is back!\r\nBy Boris Larin\r\nPublished: 2025-10-27 · Archived: 2026-04-06 01:09:09 UTC\r\nIn March 2025, Kaspersky detected a wave of infections that occurred when users clicked on personalized\r\nphishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious\r\nwebsite using Google Chrome or another Chromium-based web browser was enough.\r\nThe malicious links were personalized and extremely short-lived to avoid detection. However, Kaspersky’s\r\ntechnologies successfully identified a sophisticated zero-day exploit that was used to escape Google Chrome’s\r\nsandbox. After conducting a quick analysis, we reported the vulnerability to the Google security team, who fixed\r\nit as CVE-2025-2783.\r\nAcknowledgement for finding CVE-2025-2783 (excerpt from the security fixes included into Chrome\r\n134.0.6998.177/.178)\r\nWe dubbed this campaign Operation ForumTroll because the attackers sent personalized phishing emails inviting\r\nrecipients to the Primakov Readings forum. The lures targeted media outlets, universities, research centers,\r\ngovernment organizations, financial institutions, and other organizations in Russia. The functionality of the\r\nmalware suggests that the operation’s primary purpose was espionage.\r\nWe traced the malware used in this attack back to 2022 and discovered more attacks by this threat actor on\r\norganizations and individuals in Russia and Belarus. While analyzing the malware used in these attacks, we\r\ndiscovered an unknown piece of malware that we identified as commercial spyware called “Dante” and developed\r\nby the Italian company Memento Labs (formerly Hacking Team).\r\nSimilarities in the code suggest that the Operation ForumTroll campaign was also carried out using tools\r\ndeveloped by Memento Labs.\r\nIn this blog post, we’ll take a detailed look at the Operation ForumTroll attack chain and reveal how we\r\ndiscovered and identified the Dante spyware, which remained hidden for years after the Hacking Team rebrand.\r\nAttack chain\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 1 of 14\n\nOperation ForumTroll attack chain\r\nIn all known cases, infection occurred after the victim clicked a link in a spear phishing email that directed them\r\nto a malicious website. The website verified the victim and executed the exploit.\r\nWhen we first discovered and began analyzing this campaign, the malicious website no longer contained the code\r\nresponsible for carrying out the infection; it simply redirected visitors to the official Primakov Readings website.\r\nTherefore, we could only work with the attack artifacts discovered during the first wave of infections. Fortunately,\r\nKaspersky technologies detected nearly all of the main stages of the attack, enabling us to reconstruct and analyze\r\nthe Operation ForumTroll attack chain.\r\nPhishing email\r\nExample of a malicious email used in this campaign (translated from Russian)\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 2 of 14\n\nThe malicious emails sent by the attackers were disguised as invitations from the organizers of the Primakov\r\nReadings scientific and expert forum. These emails contained personalized links to track infections. The emails\r\nappeared authentic, contained no language errors, and were written in the style one would expect for an invitation\r\nto such an event. Proficiency in Russian and familiarity with local peculiarities are distinctive features of the\r\nForumTroll APT group, traits that we have also observed in its other campaigns. However, mistakes in some of\r\nthose other cases suggest that the attackers were not native Russian speakers.\r\nValidator\r\nThe validator is a relatively small script executed by the browser. It validates the victim and securely downloads\r\nand executes the next stage of the attack.\r\nThe first action the validator performs is to calculate the SHA-256 of the random data received from the server\r\nusing the WebGPU API. It then verifies the resulting hash. This is done using the open-source code of Marco\r\nCiaramella’s sha256-gpu project. The main purpose of this check is likely to verify that the site is being visited by\r\na real user with a real web browser, and not by a mail server that might follow a link, emulate a script, and\r\ndownload an exploit. Another possible reason for this check could be that the exploit triggers a vulnerability in the\r\nWebGPU API or relies on it for exploitation.\r\nThe validator sends the infection identifier, the result of the WebGPU API check and the newly generated public\r\nkey to the C2 server for key exchange using the Elliptic-curve Diffie–Hellman (ECDH) algorithm. If the check is\r\npassed, the server responds with an AES-GCM key. This key is used to decrypt the next stage, which is hidden in\r\nrequests to bootstrap.bundle.min.js and .woff2 font files. Following the timeline of events and the infection logic,\r\nthis next stage should have been a remote code execution (RCE) exploit for Google Chrome, but it was not\r\nobtained during the attack.\r\nSandbox escape exploit\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 3 of 14\n\nList of in-the-wild 0-days caught and reported by Kaspersky\r\nOver the years, we have discovered and reported on dozens of zero-day exploits that were actively used in attacks.\r\nHowever, CVE-2025-2783 is one of the most intriguing sandbox escape exploits we’ve encountered. This exploit\r\ngenuinely puzzled us because it allowed attackers to bypass Google Chrome’s sandbox protection without\r\nperforming any obviously malicious or prohibited actions. This was due to a powerful logical vulnerability caused\r\nby an obscure quirk in the Windows OS.\r\nTo protect against bugs and crashes, and enable sandboxing, Chrome uses a multi-process architecture. The main\r\nprocess, known as the browser process, handles the user interface and manages and supervises other processes.\r\nSandboxed renderer processes handle web content and have limited access to system resources. Chrome uses\r\nMojo and the underlying ipcz library, introduced to replace legacy IPC mechanisms, for interprocess\r\ncommunication between the browser and renderer processes.\r\nThe exploit we discovered came with its own Mojo and ipcz libraries that were statically compiled from official\r\nsources. This enabled attackers to communicate with the IPC broker within the browser process without having to\r\nmanually craft and parse ipcz messages. However, this created a problem for us because, to analyze the exploit,\r\nwe had to identify all the Chrome library functions it used. This involved a fair amount of work, but once\r\ncompleted, we knew all the actions performed by the exploit.\r\nIn short, the exploit does the following:\r\nResolves the addresses of the necessary functions and code gadgets from dll using a pattern search.\r\nHooks the v8_inspector::V8Console::Debug function. This allows attackers to escape the sandbox and\r\nexecute the desired payload via a JavaScript call.\r\nStarts executing a sandbox escape when attackers call console.debug(0x42, shellcode); from their script.\r\nHooks the ipcz::NodeLink::OnAcceptRelayedMessage function.\r\nCreates and sends an ipcz message of the type RelayMessage. This message type is used to pass Windows\r\nOS handles between two processes that do not have the necessary permissions (e.g., renderer processes).\r\nThe exploit retrieves the handle returned by the GetCurrentThread API function and uses this ipcz message\r\nto relay it to itself. The broker transfers handles between processes using the DuplicateHandle API\r\nfunction.\r\nReceives the relayed message back using the ipcz::NodeLink::OnAcceptRelayedMessage function hook,\r\nbut instead of the handle that was previously returned by the GetCurrentThread API function, it now\r\ncontains a handle to the thread in the browser process!\r\nUses this handle to execute a series of code gadgets in the target process by suspending the thread, setting\r\nregister values using SetThreadContext, and resuming the thread. This results in shellcode execution in the\r\nbrowser process and subsequent installation of a malware loader.\r\nSo, what went wrong, and how was this possible? The answer can be found in the descriptions of the\r\nGetCurrentThread and GetCurrentProcess API functions. When these functions are called, they don’t return actual\r\nhandles; rather, they return pseudo handles, special constants that are interpreted by the kernel as a handle to the\r\ncurrent thread or process. For the current process, this constant is -1 (also equal to INVALID_HANDLE_VALUE,\r\nwhich brings its own set of quirks), and the constant for the current thread is -2. Chrome’s IPC code already\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 4 of 14\n\nchecked for handles equal to -1, but there were no checks for -2 or other undocumented pseudo handles. This\r\noversight led to the vulnerability. As a result, when the broker passed the -2 pseudo handle received from the\r\nrenderer to the DuplicateHandle API function while processing the RelayMessage, it converted -2 into a real\r\nhandle to its own thread and passed it to the renderer.\r\nShortly after the patch was released, it became clear that Chrome was not the only browser affected by the issue.\r\nFirefox developers quickly identified a similar pattern in their IPC code and released an update under CVE-2025-\r\n2857.\r\nWhen pseudo handles were first introduced, they simplified development and helped squeeze out extra\r\nperformance – something that was crucial on older PCs. Now, decades later, that outdated optimization has come\r\nback to bite us.\r\nCould we see more bugs like this? Absolutely. In fact, this represents a whole class of vulnerabilities worth\r\nhunting for – similar issues may still be lurking in other applications and Windows system services.\r\nTo learn about the hardening introduced in Google Chrome following the discovery of CVE-2025-2783, we\r\nrecommend checking out Alex Gough’s upcoming presentation, “Responding to an ITW Chrome Sandbox Escape\r\n(Twice!),” at Kawaiicon.\r\nPersistent loader\r\nPersistence is achieved using the Component Object Model (COM) hijacking technique. This method exploits a\r\nsystem’s search order for COM objects. In Windows, each COM class has a registry entry that associates the\r\nCLSID (128-bit GUID) of the COM with the location of its DLL or EXE file. These entries are stored in the\r\nsystem registry hive HKEY_LOCAL_MACHINE (HKLM), but can be overridden by entries in the user registry\r\nhive HKEY_CURRENT_USER (HKCU). This enables attackers to override the CLSID entry and run malware\r\nwhen the system attempts to locate and run the correct COM component.\r\nCOM hijacking in a nutshell\r\nThe attackers used this technique to override the CLSID of twinapi.dll {AA509086-5Ca9-4C25-8F95-\r\n589D3C07B48A} and cause the system processes and web browsers to load the malicious DLL.\r\nThis malicious DLL is a loader that decrypts and executes the main malware. The payload responsible for loading\r\nthe malware is encoded using a simple binary encoder similar to those found in the Metasploit framework. It is\r\nalso obfuscated with OLLVM. Since the hijacked COM object can be loaded into many processes, the payload\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 5 of 14\n\nchecks the name of the current process and only loads the malware when it is executed by certain processes (e.g.,\r\nrdpclip.exe). The main malware is decrypted using a modified ChaCha20 algorithm. The loader also has the\r\nfunctionality to re-encrypt the malware using the BIOS UUID to bind it to the infected machine. The decrypted\r\ndata contains the main malware and a shellcode generated by Donut that launches it.\r\nLeetAgent\r\nLeetAgent is the spyware used in the Operation ForumTroll campaign. We named it LeetAgent because all of its\r\ncommands are written in leetspeak. You might not believe it, but this is rare in APT malware. The malware\r\nconnects to one of its C2 servers specified in the configuration and uses HTTPS to receive and execute commands\r\nidentified by unique numeric values:\r\n0xC033A4D (COMMAND) – Run command with cmd.exe\r\n0xECEC (EXEC) – Execute process\r\n0x6E17A585 (GETTASKS) – Get list of tasks that agent is currently executing\r\n0x6177 (KILL) – Stop task\r\n0xF17E09 (FILE \\x09) – Write file\r\n0xF17ED0 (FILE \\xD0) – Read file\r\n0x1213C7 (INJECT) – Inject shellcode\r\n0xC04F (CONF) – Set communication parameters\r\n0xD1E (DIE) – Quit\r\n0xCD (CD) – Change current directory\r\n0x108 (JOB) – Set parameters for keylogger or file stealer\r\nIn addition to executing commands received from its C2, it runs keylogging and file-stealing tasks in the\r\nbackground. By default, the file-stealer task searches for documents with the following extensions: *.doc, *.xls,\r\n*.ppt, *.rtf, *.pdf, *.docx, *.xlsx, *.pptx.\r\nThe configuration data is encoded using the TLV (tag-length-value) scheme and encrypted with a simple single-byte XOR cipher. The data contains settings for communicating with the C2, including many settings for traffic\r\nobfuscation.\r\nIn most of the observed cases, the attackers used the Fastly.net cloud infrastructure to host their C2. Attackers\r\nfrequently use it to download and run additional tools such as 7z, Rclone, SharpChrome, etc., as well as additional\r\nmalware (more on that below).\r\nThe number of traffic obfuscation settings may indicate that LeetAgent is a commercial tool, though we have only\r\nseen ForumTroll APT use it.\r\nFinding Dante\r\nIn our opinion, attributing unknown malware is the most challenging aspect of security research. Why? Because\r\nit’s not just about analyzing the malware or exploits used in a single attack; it’s also about finding and analyzing\r\nall the malware and exploits used in past attacks that might be related to the one you’re currently investigating.\r\nThis involves searching for and investigating similar attacks using indicators of compromise (IOCs) and tactics,\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 6 of 14\n\ntechniques, and procedures (TTPs), as well as identifying overlaps in infrastructure, code, etc. In short, it’s about\r\nfinding and piecing together every scrap of evidence until a picture of the attacker starts to emerge.\r\nWe traced the first use of LeetAgent back to 2022 and discovered more ForumTroll APT attacks on organizations\r\nand individuals in Russia and Belarus. In many cases, the infection began with a phishing email containing\r\nmalicious attachments with the following names:\r\nBaltic_Vector_2023.iso (translated from Russian)\r\nDRIVE.GOOGLE.COM (executable file)\r\nInvitation_Russia-Belarus_strong_partnership_2024.lnk (translated from Russian)\r\nVarious other file names mentioning individuals and companies\r\nIn addition, we discovered another cluster of similar attacks that used more sophisticated spyware instead of\r\nLeetAgent. We were also able to track the first use of this spyware back to 2022. In this cluster, the infections\r\nbegan with phishing emails containing malicious attachments with the following names:\r\nSCAN_XXXX_\u003cDATE\u003e.pdf.lnk\r\n\u003cDATE\u003e_winscan_to_pdf.pdf.lnk\r\nRostelecom.pdf.lnk (translated from Russian)\r\nVarious others\r\nThe attackers behind this activity used similar file system paths and the same persistence method as the LeetAgent\r\ncluster. This led us to suspect that the two clusters might be related, and we confirmed a direct link when we\r\ndiscovered attacks in which this much more sophisticated spyware was launched by LeetAgent.\r\nConnection between LeetAgent and commercial spyware called Dante\r\nAfter analyzing this previously unknown, sophisticated spyware, we were able to identify it as commercial\r\nspyware called Dante, developed by the Italian company Memento Labs.\r\nThe Atlantic Council’s Cyber Statecraft Initiative recently published an interesting report titled “Mythical Beasts\r\nand where to find them: Mapping the global spyware market and its threats to national security and human rights.”\r\nWe think that comparing commercial spyware to mythical beasts is a fitting analogy. While everyone in the\r\nindustry knows that spyware vendors exist, their “products” are rarely discovered or identified. Meanwhile, the\r\nlist of companies developing commercial spyware is huge. Some of the most famous are NSO Group, Intellexa,\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 7 of 14\n\nParagon Solutions, Saito Tech (formerly Candiru), Vilicius Holding (formerly FinFisher), Quadream, Memento\r\nLabs (formerly Hacking Team), negg Group, and RCS Labs. Some are always in the headlines, some we have\r\nreported on before, and a few have almost completely faded from view. One company in the latter category is\r\nMemento Labs, formerly known as Hacking Team.\r\nHacking Team (also stylized as HackingTeam) is one of the oldest and most famous spyware vendors. Founded in\r\n2003, Hacking Team became known for its Remote Control Systems (RCS) spyware, used by government clients\r\nworldwide, and for the many controversies surrounding it. The company’s trajectory changed dramatically in 2015\r\nwhen more than 400 GB of internal data was leaked online following a hack. In 2019, the company was acquired\r\nby InTheCyber Group and renamed Memento Labs. “We want to change absolutely everything,” the Memento\r\nLabs owner told Motherboard in 2019. “We’re starting from scratch.” Four years later, at the ISS World MEA\r\n2023 conference for law enforcement and government intelligence agencies, Memento Labs revealed the name of\r\nits new surveillance tool – DANTE. Until now, little was known about this malware’s capabilities, and its use in\r\nattacks had not been discovered.\r\nExcerpt from the agenda of the ISS World MEA 2023 conference (the typo was introduced on the conference\r\nwebsite)\r\nThe problem with detecting and attributing commercial spyware is that vendors typically don’t include their\r\ncopyright information or product names in their exploits and malware. In the case of the Dante spyware, however,\r\nattribution was simple once we got rid of VMProtect’s obfuscation and found the malware name in the code.\r\nDante spyware name in the code\r\nDante\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 8 of 14\n\nOf course, our attribution isn’t based solely on the string “Dante” found in the code, but it was an important clue\r\nthat pointed us in the right direction. After some additional analysis, we found a reference to a “2.0” version of the\r\nmalware, which matches the title of the aforementioned conference talk. We then searched for and identified the\r\nmost recent samples of Hacking Team’s Remote Control Systems (RCS) spyware. Memento Labs kept improving\r\nits codebase until 2022, when it was replaced by Dante. Even with the introduction of the new malware, however,\r\nnot everything was built from scratch; the later RCS samples share quite a few similarities with Dante. All these\r\nfindings make us very confident in our attribution.\r\nWhy did the authors name it Dante? This may be a nod to tradition, as RCS spyware was also known as “Da\r\nVinci”. But it could also be a reference to Dante’s poem Divine Comedy, alluding to the many “circles of hell”\r\nthat malware analysts must pass through when detecting and analyzing the spyware given its numerous anti-analysis techniques.\r\nFirst of all, the spyware is packed with VMProtect. It obfuscates control flow, hides imported functions, and adds\r\nanti-debugging checks. On top of that, almost every string is encrypted.\r\nVMProtect anti-debugging technique\r\nTo protect against dynamic analysis, Dante uses the following anti-hooking technique: when code needs to\r\nexecute an API function, its address is resolved using a hash, its body is parsed to extract the system call number,\r\nand then a new system call stub is created and used.\r\nDante anti-hooking technique (simplified)\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 9 of 14\n\nIn addition to VMProtect’s anti-debugging techniques, Dante uses some common methods to detect debuggers.\r\nSpecifically, it checks the debug registers (Dr0–Dr7) using NtGetContextThread, inspects the\r\nKdDebuggerEnabled field in the KUSER_SHARED_DATA structure, and uses NtQueryInformationProcess to\r\ndetect debugging by querying the ProcessDebugFlags, ProcessDebugPort, ProcessDebugObjectHandle, and\r\nProcessTlsInformation classes.\r\nTo protect itself from being discovered, Dante employs an interesting method of checking the environment to\r\ndetermine if it is safe to continue working. It queries the Windows Event Log for events that may indicate the use\r\nof malware analysis tools or virtual machines (as a guest or host).\r\nThe strings Dante searches for in the event logs\r\nIt also performs several anti-sandbox checks. It searches for “bad” libraries, measures the execution times of the\r\nsleep() function and the cpuid instruction, and checks the file system.\r\nSome of these anti-analysis techniques may be a bit annoying, but none of them really work or can stop a\r\nprofessional malware analyst. We deal with these techniques on an almost daily basis.\r\nAfter performing all the checks, Dante does the following: decrypts the configuration and the orchestrator, finds\r\nthe string “DANTEMARKER” in the orchestrator, overwrites it with the configuration, and then loads the\r\norchestrator.\r\nThe configuration is decrypted from the data section of the malware using a simple XOR cipher. The orchestrator\r\nis decrypted from the resource section and poses as a font file. Dante can also load and decrypt the orchestrator\r\nfrom the file system if a newer, updated version is available.\r\nThe orchestrator displays the code quality of a commercial product, but isn’t particularly interesting. It is\r\nresponsible for communication with C2 via HTTPs protocol, handling modules and configuration, self-protection,\r\nand self-removal.\r\nModules can be saved and loaded from the file system or loaded from memory. The infection identifier (GUID) is\r\nencoded in Base64. Parts of the resulting string are used to derive the path to a folder containing modules and the\r\npath to additional settings stored in the registry.\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 10 of 14\n\nAn example of Dante’s paths derivation\r\nThe folder containing modules includes a binary file that stores information about all downloaded modules,\r\nincluding their versions and filenames. This metadata file is encrypted with a simple XOR cipher, while the\r\nmodules are encrypted with AES-256-CBC, using the first 0x10 bytes of the module file as the IV and the key\r\nbound to the machine. The key is equal to the SHA-256 hash of a buffer containing the CPU identifier and the\r\nWindows Product ID.\r\nTo protect itself, the orchestrator uses many of the same anti-analysis techniques, along with additional checks for\r\nspecific process names and drivers.\r\nIf Dante doesn’t receive commands within the number of days specified in the configuration, it deletes itself and\r\nall traces of its activity.\r\nAt the time of writing this report, we were unable to analyze additional modules because there are currently no\r\nactive Dante infections among our users. However, we would gladly analyze them if they become available. Now\r\nthat information about this spyware has been made public and its developer has been identified, we hope it won’t\r\nbe long before additional modules are discovered and examined. To support this effort, we are sharing a method\r\nthat can be used to identify active Dante spyware infections (see the Indicators of compromise section).\r\nAlthough we didn’t see the ForumTroll APT group using Dante in the Operation ForumTroll campaign, we have\r\nobserved its use in other attacks linked to this group. Notably, we saw several minor similarities between this\r\nattack and others involving Dante, such as similar file system paths, the same persistence mechanism, data hidden\r\nin font files, and other minor details. Most importantly, we found similar code shared by the exploit, loader, and\r\nDante. Taken together, these findings allow us to conclude that the Operation ForumTroll campaign was also\r\ncarried out using the same toolset that comes with the Dante spyware.\r\nConclusion\r\nThis time, we have not one, but three conclusions.\r\n1) DuplicateHandle is a dangerous API function. If the process is privileged and the user can provide a handle to\r\nit, the code should return an error when a pseudo-handle is supplied.\r\n2) Attribution is the most challenging part of malware analysis and threat intelligence, but also the most rewarding\r\nwhen all the pieces of the puzzle fit together perfectly. If you ever dreamed of being a detective as a child and\r\nsolving mysteries like Sherlock Holmes, Miss Marple, Columbo, or Scooby-Doo and the Mystery Inc. gang, then\r\nthreat intelligence might be the right job for you!\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 11 of 14\n\n3) Back in 2019, Hacking Team’s new owner stated in an interview that they wanted to change everything and\r\nstart from scratch. It took some time, but by 2022, almost everything from Hacking Team had been redone. Now\r\nthat Dante has been discovered, perhaps it’s time to start over again.\r\nFull details of this research, as well as future updates on ForumTroll APT and Dante, are available to customers of\r\nthe APT reporting service through our Threat Intelligence Portal.\r\nContact: intelreports@kaspersky.com\r\nIndicators of compromise\r\nKaspersky detections\r\nExploit.Win32.Generic\r\nExploit.Win64.Agent\r\nTrojan.Win64.Agent\r\nTrojan.Win64.Convagent.gen\r\nHEUR:Trojan.Script.Generic\r\nPDM:Exploit.Win32.Generic\r\nPDM:Trojan.Win32.Generic\r\nUDS:DangerousObject.Multi.Generic\r\nTTP detection rules in Kaspersky NEXT EDR Expert\r\nsuspicious_drop_dll_via_chrome\r\nThis rule detects a DLL load within a Chrome process, initiated via Outlook. This behavior is consistent with\r\nexploiting a vulnerability that enables browser sandbox bypass through the manipulation of Windows pseudo-handles and IPC.\r\npossible_com_hijacking_by_memento_labs_via_registry\r\nThis rule detects an attempt at system persistence via the COM object hijacking technique, which exploits\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 12 of 14\n\npeculiarities in the Windows COM component resolution process. This feature allows malicious actors to create\r\ncustom CLSID entries in the user-specific registry branch, thereby overriding legitimate system components.\r\nWhen the system attempts to instantiate the corresponding COM object, the malicious payload executes instead of\r\nthe original code.\r\ncve_exploit_detected\r\nThis generic rule is designed to detect attempts by malicious actors to exploit various vulnerabilities. Its logic is\r\nbased on analyzing a broad set of characteristic patterns that reflect typical exploitation behavior.\r\nFolder with modules\r\nThe folder containing the modules is located in %LocalAppData%, and is named with an eight-byte Base64\r\nstring. It contains files without extensions whose names are also Base64 strings that are eight bytes long. One of\r\nthe files has the same name as the folder. This information can be used to identify an active infection.\r\nLoader\r\n7d3a30dbf4fd3edaf4dde35ccb5cf926\r\n3650c1ac97bd5674e1e3bfa9b26008644edacfed\r\n2e39800df1cafbebfa22b437744d80f1b38111b471fa3eb42f2214a5ac7e1f13\r\nLeetAgent\r\n33bb0678af6011481845d7ce9643cedc\r\n8390e2ebdd0db5d1a950b2c9984a5f429805d48c\r\n388a8af43039f5f16a0673a6e342fa6ae2402e63ba7569d20d9ba4894dc0ba59\r\nDante\r\n35869e8760928407d2789c7f115b7f83\r\nc25275228c6da54cf578fa72c9f49697e5309694\r\n07d272b607f082305ce7b1987bfa17dc967ab45c8cd89699bcdced34ea94e126\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 13 of 14\n\nSource: https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nhttps://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/" ], "report_names": [ "117851" ], "threat_actors": [ { "id": "aee1b97f-7d09-4a36-aba9-c65589d9eab0", "created_at": "2025-05-29T02:00:03.201432Z", "updated_at": "2026-04-10T02:00:03.857667Z", "deleted_at": null, "main_name": "Operation ForumTroll", "aliases": [], "source_name": "MISPGALAXY:Operation ForumTroll", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b8c7c542-43ed-498c-af6b-b4b5f0c75724", "created_at": "2024-02-02T02:00:04.026045Z", "updated_at": "2026-04-10T02:00:03.529714Z", "deleted_at": null, "main_name": "Carmine Tsunami", "aliases": [ "DEV-0196", "QuaDream" ], "source_name": "MISPGALAXY:Carmine Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439013, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32e66e33d71d6351d0a2710e678d14d1370e88b1.pdf", "text": "https://archive.orkl.eu/32e66e33d71d6351d0a2710e678d14d1370e88b1.txt", "img": "https://archive.orkl.eu/32e66e33d71d6351d0a2710e678d14d1370e88b1.jpg" } }