LeetAgent is a malware tool attributed to the ForumTroll APT group, which was uncovered during investigations into a wave of cyberattacks targeting Russian companies in early 2025. These attacks exploited a zero-day vulnerability in Google Chrome (CVE-2025-2783) via spear-phishing emails inviting targets to a scientific forum, leading to device compromise upon clicking malicious links. The malware, named LeetAgent, communicates with command and control servers using leetspeak-modified commands. Further research revealed that the same toolset was used to distribute Dante, a commercial spyware developed by Memento Labs, the successor to the infamous HackingTeam. Dante is a modular spyware platform featuring encrypted modules with unique keys per victim and self-destruct mechanisms if no commands are received, enhancing stealth and limiting forensic analysis. The discovery of Dante’s use alongside LeetAgent indicates a convergence of APT and commercial spyware toolkits, increasing the threat’s sophistication. While initial infections were detected in Russia and Belarus, the modular and commercial nature of Dante suggests potential for broader targeting. No public exploits are currently known, but the use of a zero-day Chrome vulnerability and spear-phishing indicates high exploitation complexity and targeted attack vectors. The malware’s capabilities include espionage, data exfiltration, and persistence, posing significant risks to confidentiality and integrity of affected systems. Kaspersky’s XDR solutions detected initial infections, and threat intelligence is being shared via their APT threat data service. The threat underscores the evolving landscape where commercial spyware is leveraged by APT groups, complicating attribution and defense.

For European organizations, the LeetAgent and Dante malware pose significant risks, particularly to entities in media, government, education, and financial sectors that mirror the targeted Russian organizations. The exploitation of a zero-day Chrome vulnerability means that even well-patched environments could be vulnerable until updates are applied. The modular and encrypted nature of Dante spyware allows attackers to maintain stealthy persistence, exfiltrate sensitive data, and potentially disrupt operations through self-destruct mechanisms. The espionage capabilities threaten confidentiality of sensitive information, including intellectual property and strategic communications. Integrity could be compromised if attackers manipulate data or implant further malware. Availability risks exist but are secondary to espionage objectives. The commercial spyware’s presence in the wild increases the likelihood of wider distribution beyond initial targets, potentially affecting European organizations with geopolitical or economic ties to Russia and Eastern Europe. The use of spear-phishing and social engineering increases the attack surface, especially in organizations with less mature security awareness programs. Overall, the threat could lead to significant reputational damage, regulatory penalties under GDPR if personal data is compromised, and operational disruptions.

European organizations should implement multi-layered defenses beyond generic advice. Specifically: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting modular and encrypted malware behaviors, including anomaly detection for unusual command and control traffic. 2) Prioritize patching of Google Chrome and related software to remediate CVE-2025-2783 and other zero-day vulnerabilities promptly. 3) Conduct targeted phishing awareness training focusing on spear-phishing tactics mimicking legitimate events or forums. 4) Implement network segmentation to limit lateral movement if initial compromise occurs. 5) Utilize threat intelligence feeds, such as Kaspersky’s APT threat data service, to monitor for indicators of compromise related to LeetAgent and Dante. 6) Employ strict email filtering and URL reputation services to block malicious links. 7) Monitor for self-destruct or cleanup behaviors indicative of Dante’s modular spyware to enable timely incident response. 8) Restrict administrative privileges and enforce multi-factor authentication to reduce attacker foothold. 9) Regularly audit and review logs for unusual activity correlating with known attack patterns. 10) Collaborate with national cybersecurity centers to share intelligence and receive guidance on emerging threats.