The LeetAgent malware was identified during investigations into attacks by the ForumTroll APT group, which targeted Russian companies using a zero-day vulnerability (CVE-2025-2783) in Google Chrome. The infection vector involved spear-phishing emails inviting targets to a scientific forum, leading to malware deployment upon clicking malicious links. LeetAgent receives commands in 'Leet' modified spellings and was used in multiple attacks against media, government, educational, and financial institutions in Russia and Belarus. Further research revealed that the same toolset was used to distribute Dante spyware, a commercial product developed by Memento Labs, the successor to the infamous HackingTeam. Dante is a highly sophisticated modular spyware with encrypted modules unique per victim and a self-destruct mechanism if no control server commands are received. The malware’s modularity and encryption complicate detection and analysis. The attacks demonstrate a blend of state-level APT tactics and commercial spyware deployment, indicating a convergence of threat actor capabilities. Detection has been primarily through Kaspersky’s XDR solutions, and detailed threat intelligence is provided via their APT data service. No widespread exploitation beyond these campaigns is currently reported, but the presence of zero-day exploitation and advanced spyware indicates a significant threat to targeted organizations.

For European organizations, the direct impact depends on whether they become targets or have business ties with affected Russian or Belarusian entities. The use of a zero-day Chrome vulnerability implies that any organization using vulnerable browser versions could be at risk if targeted. The modular and encrypted nature of Dante spyware allows attackers to conduct prolonged espionage, data exfiltration, and surveillance, potentially compromising confidentiality and integrity of sensitive information. The self-destruct feature complicates forensic investigations, potentially allowing attackers to cover tracks. The sectors targeted—media, government, education, and finance—are critical for European countries’ information security and economic stability. If similar campaigns spread or if European organizations are targeted by ForumTroll or related actors, the impact could include intellectual property theft, disruption of operations, and reputational damage. The medium severity rating reflects current limited spread but acknowledges the potential for escalation.

European organizations should prioritize patching all Google Chrome instances to address CVE-2025-2783 and any related vulnerabilities promptly. Implement advanced endpoint detection and response (EDR) and extended detection and response (XDR) solutions capable of identifying LeetAgent and Dante indicators of compromise, including unusual command-and-control traffic and encrypted module behaviors. Conduct targeted threat hunting focusing on spear-phishing campaigns mimicking legitimate invitations or events, especially those involving scientific or governmental forums. Employ network segmentation and strict access controls to limit lateral movement if infection occurs. Regularly update threat intelligence feeds, including subscribing to specialized APT data services such as Kaspersky’s Threat Intelligence Portal, to stay informed of emerging TTPs and IoCs related to ForumTroll and Dante. Train employees on recognizing sophisticated phishing attempts and enforce multi-factor authentication to reduce account compromise risks. Finally, prepare incident response plans that include forensic readiness to handle malware with self-destruct capabilities.