10 malware familiesExploits CVEs in the wild

Hacking Team

Also known asHacking Teammemento_labsmemento_labs_(formerly_hacking_team)

Memento Labs is an Italian commercial spyware vendor and the successor to Hacking Team, which was acquired by InTheCyber Group in 2019 and rebranded as Memento Labs. Known aliases in the provided content include Hacking Team and Memento Labs (formerly Hacking Team). Hacking Team was previously known for its Remote Control Systems (RCS), also referred to as Da Vinci. The content links Memento Labs to spyware operations targeting organizations in Russia and Belarus, including media outlets, universities, research centers, government organizations, financial institutions, and other private- and public-sector entities. Kaspersky traced related activity back to at least 2022. The tooling described includes the Dante spyware platform and the LeetAgent implant. LeetAgent is described as supporting command execution, process and task execution, shellcode injection, file read/write and theft, and keylogging, with HTTPS command-and-control communications and obfuscated configuration/traffic; some infrastructure was hosted via Fastly.net. Dante is described as a more advanced modular spyware platform with an orchestrator for module loading and management, HTTPS C2, anti-analysis and anti-debugging protections, VMProtect obfuscation, self-protection, and self-deletion or self-removal if command-and-control is unreachable. The content states that Kaspersky attributed tools used in Operation ForumTroll to Memento Labs with high confidence based on code similarities with Hacking Team RCS, shared persistence mechanisms, and discovery of the Dante name in deobfuscated code. Operation ForumTroll exploited Chrome zero-day CVE-2025-2783 and targeted government and private-sector entities in Russia and Belarus; related reporting says the campaign was conducted by a nation-state threat group or state-sponsored APT using commercial spyware tools from Memento Labs. The content also notes that Kaspersky did not observe Dante directly used in Operation ForumTroll, but linked it to related attacks using the same toolset. Older Hacking Team activity in the content includes OS X malware delivered via exploit chains such as Flash and Word documents, with samples installing binaries into ~/Library/Preferences and newer versions packing the main backdoor module with MPRESS. The content also states that in 2012 Ahmed Mansoor’s laptop was infected with Hacking Team spyware delivered through a booby-trapped Microsoft Word document exploiting CVE-2010-3333. Other names referenced by external tracking in the content include Dante APT, TaxOff, and Team46.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

35 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics40 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1189×5

Drive-by Compromise

T1190×4

Exploit Public-Facing Application

T1566×3

Phishing

T1566.001×2

Spearphishing Attachment

T1566.002×2

Spearphishing Link

TA0002

Execution

2 techniques

T1203×4

Exploitation for Client Execution

T1204

User Execution

T1204.002×3

Malicious File

TA0004

Privilege Escalation

1 technique

T1068×2

Exploitation for Privilege Escalation

TA0005

Stealth

4 techniques

T1027

Obfuscated Files or Information

T1027.002×2

Software Packing

T1036×2

Masquerading

T1070

Indicator Removal

T1070.004×2

File Deletion

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0006

Credential Access

4 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001×3

Keylogging

T1528

Steal Application Access Token

T1555×2

Credentials from Password Stores

TA0007

Discovery

3 techniques

T1082

System Information Discovery

T1083

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

TA0008

Lateral Movement

1 technique

T1210

Exploitation of Remote Services

TA0009

Collection

6 techniques

T1005×4

Data from Local System

T1056

Input Capture

T1056.001×3

Keylogging

T1113×3

Screen Capture

T1115

Clipboard Data

T1123×6

Audio Capture

T1125×5

Video Capture

TA0011

Command and Control

4 techniques

T1001

Data Obfuscation

T1071×2

Application Layer Protocol

T1090

Proxy

T1090.003

Multi-hop Proxy

T1105×2

Ingress Tool Transfer

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1048

Exfiltration Over Alternative Protocol

ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Da VinciTHE GALILEO SOLUTION IS MUCH BETTER THAN THE DA VINCI THEY HAVE IN TOLUCA.2May 26, 2026

RCSAndroidRCSAndroid has been actively used since 2012 and has been known to researchers since 2014, when research group Citizen Lab detailed a Hacking Team backdoor used against Android users in Saudi Arabia.2May 26, 2026

DanteAnalyzing the old attacks, the researchers found "an unknown piece of malware that we identified as commercial spyware called “Dante” and developed by the Italian company Memento Labs."1Mar 18, 2026

FinFisherFinFisher, one of the original suppliers of so-called "lawful intercept" spyware, has repeatedly been criticized for selling malware to countries with poor human rights records such as Bahrain, Egypt and Ethiopia.1May 26, 2026

FlexiSpyIn one 2012 leaked email from the Wikileaks archive of hacked data from Italy-based government malware maker Hacking Team, the company claimed the Android spy tool of FinFisher, one of its fiercest rivals, looked similar to FlexiSpy, a cheap product manufactured by Thai firm Vervata.1May 26, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.

CVE-2012-2825Denial of Service in Google Chrome XSL implementationIn the wildEvidence2

The malicious sites, in turn, exploited known exploits, designated as CVE-2012-2825 and CVE-2012-2871, and are present in the default browsers found in Android versions from 4.0 to 4.3.

CVE-2012-2871libxml2 XSL transform type cast handling vulnerabilityIn the wildEvidence2

The malicious sites, in turn, exploited known exploits, designated as CVE-2012-2825 and CVE-2012-2871, and are present in the default browsers found in Android versions from 4.0 to 4.3.

CVE-2025-2783Google Chrome Mojo sandbox escape on WindowsIn the wildEvidence2

A zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, was recently exploited in the wild to deliver the LeetAgent spyware.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

11 SOURCESView more in app

securityaffairsNews

Nov 2, 2025

Security Affairs newsletter Round 548 by Pierluigi Paganini – INTERNATIONAL EDITION

Memento Labs (formerly Hacking Team) is known for developing and selling offensive cyber tools, often to government clients.

lawfareNews

Oct 31, 2025

Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia

Memento Labs, successor to HackingTeam, is involved in offensive cyber operations targeting a wide range of organizations in Belarus and Russia. It uses its Dante spyware platform to deploy exploits and the LeetAgent implant for surveillance and data exfiltration.

scworldNews

Oct 30, 2025

Cybersecurity Is Dead – PSW #898

Hacking Team (now Memento Labs) is known for developing and deploying commercial spyware, including LeetAgent and Dante, which feature advanced evasion, anti-analysis, and persistence capabilities. They have re-emerged with new malware campaigns.

risky biz rssNews

Oct 28, 2025

Risky Bulletin: HackingTeam successor linked to recent Chrome zero-days

Memento Labs is a threat actor formed from the remnants of Italian spyware vendor HackingTeam. It is known for conducting sophisticated cyber-espionage campaigns using its Dante spyware platform and LeetAgent implant, targeting a wide range of organizations in Belarus and Russia. The group employs advanced operational security, phishing with personalized lures, and zero-day exploits.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping35

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs3

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.