Paolo Lezzi, CEO of Milan-based surveillance tech firm Memento Labs, has admitted that one of the company’s government clients was responsible for exposing its Windows spyware known as Dante. The malware was identified by cybersecurity firm Kaspersky in a new report that linked it to attacks on targets in Russia and Belarus.
Lezzi confirmed that the spyware belongs to Memento and said the exposure happened because the client was using an outdated version of the Dante malware, which will be phased out by the end of this year. He added that the company had already asked all customers to stop using its Windows spyware after being alerted to detections by Kaspersky as early as December 2024. Memento plans to issue another warning this week, urging all clients to discontinue the Windows version of its spyware immediately.
The CEO noted that Memento now focuses primarily on developing surveillance software for mobile devices and occasionally sources zero-day vulnerabilities—previously unknown security flaws—from external developers. Lezzi also admitted that some aspects of Memento’s Windows spyware may still reflect remnants of code from Hacking Team, the notorious Italian spyware company that preceded it.
Kaspersky’s report described a hacking group it calls “ForumTroll” using the Dante spyware to target Russian organizations, including media outlets, universities, and government bodies. The attackers reportedly used phishing invitations to a well-known Russian politics and economics event called the Primakov Readings. Although Kaspersky declined to name the government believed to be behind the campaign, researchers noted that the group showed a strong command of Russian language and local culture but was likely not composed of native speakers.
The Dante spyware’s exposure follows a broader wave of cyberattacks exploiting a Chrome zero-day vulnerability. Lezzi clarified that this exploit was not developed by Memento. According to Kaspersky, Memento refined the spyware code inherited from Hacking Team up until 2022, when it was replaced by the newer Dante platform. A unique “DANTEMARKER” tag found in the spyware’s code provided a clear link back to Memento, referencing the name publicly revealed by the company at a surveillance technology conference.
The connection between Memento and Hacking Team runs deep. In 2019, Lezzi acquired Hacking Team—then a disgraced name in the spyware industry—for just one euro, renaming it Memento Labs and claiming he wanted to rebuild from scratch. Hacking Team’s downfall began in 2015, when hacktivist Phineas Fisher breached its servers and leaked more than 400GB of internal data, exposing spyware sales to countries accused of human rights abuses. Those leaks revealed that governments in Ethiopia, Morocco, and the United Arab Emirates had used its tools to target journalists and political opponents.
At the time of the acquisition, Hacking Team had only three remaining government clients—far fewer than the 40-plus it once boasted. Lezzi said Memento today has fewer than 100 customers and only two remaining employees from the old Hacking Team staff.
The resurfacing of spyware linked to Memento shows how deeply entrenched commercial surveillance tools have become. John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, noted that the continued activity of companies like Memento highlights the persistence of this shadow industry despite past scandals. He said the reappearance of spyware descended from one of the most notorious brands in the business underscores the need for stronger accountability and consequences for misuse.
“It says a lot that echoes of the most radioactive and scandalized spyware company are still around,” Scott-Railton said, emphasizing that real deterrence comes from sustained exposure and consequences for abuses of surveillance technology.
