Overview
- Kaspersky’s latest analysis linked Operation ForumTroll’s exploit chain and loader to LeetAgent and to the commercial spyware Dante through shared code and tradecraft.
- TechCrunch reports Memento Labs CEO Paolo Lezzi acknowledged Dante is the company’s product and said a government customer deployed an outdated Windows build that the firm is telling clients to stop using.
- Lezzi said Memento did not develop the Chrome zero-day and primarily sources exploits externally while focusing current development on mobile spyware.
- The campaign used personalized, short‑lived phishing links exploiting CVE-2025-2783 to escape Chrome’s sandbox by abusing Windows pseudo‑handles, installing a loader that deployed LeetAgent.
- Kaspersky observed cases where LeetAgent launched Dante and released indicators of compromise, while Google patched CVE-2025-2783 on March 26 and Mozilla fixed a related flaw as CVE-2025-2857.