Operation ForumTroll: Hacking Team Returns with Dante Spyware and Chrome Zero-Day

Free, Unbiased, and Open threat intelligence

Operation ForumTroll: Hacking Team Returns with Dante Spyware and Chrome Zero-Day

threat Profile

HIGH

Description

Kaspersky discovered Operation ForumTroll in March 2025, a sophisticated espionage campaign targeting media outlets, universities, research centers, government organizations, and financial institutions in Russia and Belarus. The attack used personalized spear-phishing emails disguised as invitations to the Primakov Readings forum containing extremely short-lived malicious links. Infection occurred through a zero-day Chrome sandbox escape exploit (CVE-2025-2783) that required no user interaction beyond visiting the malicious website using Chromium-based browsers. The exploit leveraged a logical vulnerability in Windows pseudo handles, specifically exploiting the GetCurrentThread API function that returns pseudo handle -2. Chrome's IPC code checked for -1 (GetCurrentProcess) but not -2, allowing attackers to use RelayMessage to convert the pseudo handle into a real browser process thread handle via DuplicateHandle, enabling arbitrary code execution through thread manipulation (suspend, SetThreadContext, resume). Persistence was achieved via COM hijacking of twinapi.dll CLSID {AA509086-5Ca9-4C25-8F95-589D3C07B48A}. The campaign deployed LeetAgent spyware with commands in leetspeak (0xC033A4D=COMMAND, 0xECEC=EXEC, etc.) performing keylogging, file stealing (targeting .doc, .xls, .ppt, .rtf, .pdf extensions), and command execution. Kaspersky traced attacks back to 2022 and discovered Dante spyware, commercial surveillance tool developed by Memento Labs (formerly Hacking Team). Dante is VMProtect-packed with extensive anti-analysis techniques including anti-hooking via system call stubs, debug register checks, Windows Event Log monitoring for analysis tools, and anti-sandbox checks. The malware uses orchestrator architecture with AES-256-CBC encrypted modules, configuration stored with DANTEMARKER string, and self-deletion after specified days without C2 communication. Attribution confirmed through code similarities between exploit, loader, and Dante, plus shared infrastructure with Fastly.net CDN for C2. Mozilla Firefox also affected (CVE-2025-2857).

Related Entities

Threat Actors

ForumTroll APT Memento Labs Hacking Team

Malware

LeetAgent Remote Control Systems (RCS) Dante

CVEs

CVE-2025-2783 CVE-2025-2857

Indicators of Compromise (9)

7d3a30dbf4fd3edaf4dde35ccb5cf926

MD5 hash of malicious loader component

35869e8760928407d2789c7f115b7f83

MD5 hash of Dante spyware

8390e2ebdd0db5d1a950b2c9984a5f429805d48c

SHA1 hash of LeetAgent spyware

2e39800df1cafbebfa22b437744d80f1b38111b471fa3eb42f2214a5ac7e1f13

SHA256 hash of malicious loader component

388a8af43039f5f16a0673a6e342fa6ae2402e63ba7569d20d9ba4894dc0ba59

SHA256 hash of LeetAgent spyware

3650c1ac97bd5674e1e3bfa9b26008644edacfed

SHA1 hash of malicious loader component

33bb0678af6011481845d7ce9643cedc

MD5 hash of LeetAgent spyware

c25275228c6da54cf578fa72c9f49697e5309694

SHA1 hash of Dante spyware

07d272b607f082305ce7b1987bfa17dc967ab45c8cd89699bcdced34ea94e126

SHA256 hash of Dante spyware

Metadata

Published

7 months ago

Views