Ethical Hacking News
Memento Labs, once thought to be eradicated, has resurfaced with a sophisticated attack leveraging a validator script in browsers and a zero-day vulnerability in Chrome. The group's revival poses significant concerns for individuals and organizations worldwide, highlighting the need for continued vigilance and proactive measures to counter such complex threats.
Memento Labs, a notorious entity known for its involvement in high-stakes cyber espionage, has made a surprising comeback. A sophisticated attack leveraging a validator script in browsers was used to verify victims and download the next stage. LeetAgent spyware, which offered keylogging, file stealing, and remote command execution functionalities, was deployed. Similarities between Memento Labs' revival and Operation ForumTroll's campaign suggest a connection between the two entities. The presence of a commercial implant dubbed Dante, previously associated with Memento Labs, indicates the group's adaptability. Attribution remains a challenging aspect of threat intelligence, requiring careful analysis to solve complex detective mysteries. Memento Labs' resurgence poses significant concerns for individuals and organizations worldwide.
Memento Labs, once a notorious entity known for its involvement in high-stakes cyber espionage, has made a surprising comeback. The latest intelligence suggests that this infamous group may have never truly been eradicated, but rather, it was merely biding its time, waiting for the perfect moment to strike again. In October 2025, Kaspersky experts uncovered evidence that Memento Labs, formerly known as Hacking Team, had revived its dormant operations.
At the heart of this resurgence lies a sophisticated attack that leveraged a validator script in browsers to verify victims and securely download the next stage. This malicious tool utilized WebGPU to confirm real users, thereby bypassing sandbox protections. The attacker's plan involved exploiting a zero-day vulnerability in Chrome, specifically CVE-2025-2783, which allowed for the execution of shellcode within the browser process.
Furthermore, Memento Labs' re-emergence was marked by the deployment of LeetAgent spyware, a tool that offered an array of functionalities, including keylogging, file stealing, and remote command execution. This spyware employed extensive obfuscation techniques, making it challenging for researchers to dissect its inner workings. However, through diligent analysis, Kaspersky experts managed to uncover vital details about the attacker's tactics.
The connection between Memento Labs' revival and a previous campaign attributed to another entity, known as Operation ForumTroll, has sparked renewed interest in this realm of cyber espionage. Researchers have identified similarities in the code used across both operations, suggesting that they were conducted using tools developed by Memento Labs. This revelation underscores the group's remarkable adaptability and willingness to reuse existing resources.
A closer examination of LeetAgent spyware revealed the presence of a commercial implant dubbed Dante, which had been previously associated with Memento Labs (formerly Hacking Team). The Dante spyware was characterized by its heavy reliance on obfuscation techniques, anti-debugging checks, and an orchestrator that managed HTTPS connections. This complex architecture made it essential for researchers to carefully unpack the code in order to uncover any potential clues.
Kaspersky's report on this matter provides invaluable insights into the tactics employed by Memento Labs. The experts drew several key conclusions from their analysis:
1. The Windows API function DuplicateHandle poses significant risks if misused by privileged processes, which can lead to catastrophic consequences.
2. Attribution remains an essential yet challenging aspect of threat intelligence, often likened to solving a complex detective mystery.
3. Despite Memento Labs' 2019 reboot, the recent discovery of Dante spyware suggests that the group may need to reevaluate its strategy and consider starting anew.
In light of this information, it is clear that Memento Labs' resurgence poses significant concerns for individuals and organizations worldwide. As threat intelligence continues to evolve, it is crucial to stay vigilant and proactive in countering such sophisticated attacks.
A comprehensive list of indicators of compromise has been published by Kaspersky to aid researchers and security professionals in their efforts to combat this threat.
In conclusion, Memento Labs' revival serves as a stark reminder of the ever-present dangers lurking within the cyber underworld. As we move forward, it is essential that we remain vigilant and adapt our strategies to counter such complex threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Memento-Labs-Resurfaces-A-Ghost-from-the-Hacking-Teams-Past-ehn.shtml
https://securityaffairs.com/183913/apt/memento-labs-the-ghost-of-hacking-team-has-returned-or-maybe-it-was-never-gone-at-all.html
https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://www.cvedetails.com/cve/CVE-2025-2783/
https://cyberpress.org/apt-hackers-use-chrome-zero-day-to-evade-sandbox-protections/
https://www.securityweek.com/chrome-zero-day-exploitation-linked-to-hacking-team-spyware/
Published: Mon Oct 27 16:43:33 2025 by llama3.2 3B Q4_K_M
