Imagine a digital shadow from the past resurfacing with powerful new tools, targeting nations and institutions without mercy— that's the chilling reality of a spyware empire reborn. But here's where it gets controversial: what if this group's rebirth challenges our notions of cyber accountability in an era of global tensions?
This edition of our newsletter comes courtesy of Knocknoc (https://knocknoc.io/), and if you prefer listening, you can tune into the audio podcast version by searching for 'Risky Business' in your favorite podcatcher or subscribing via our RSS feed (https://risky.biz/feeds/risky-business-news/).
Let's dive into the headline-grabbing story: the entity that emerged from the ashes of Italy's notorious spyware firm HackingTeam is now implicated in aggressive cyberattacks spanning private businesses and public entities in Belarus and Russia. Known as Memento Labs, this group has zeroed in on a wide array of targets, including news organizations, academic institutions, research facilities, governmental bodies, banks, and more.
At the heart of their operations lies a sophisticated spyware system dubbed Dante, which serves as the launchpad for deploying malicious infrastructure, exploits, and their ultimate weapon—the LeetAgent implant. For those new to this, think of LeetAgent as a sneaky backdoor that quietly infiltrates systems, allowing attackers to siphon data or control devices undetected. Russian cybersecurity experts at Kaspersky uncovered these activities back in the spring and have traced them all the way to 2022.
The recent assaults incorporated a fresh Chrome zero-day vulnerability (CVE-2025-2783, detailed in Google's blog here: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html), indicating that Memento Labs has meticulously reconstructed its arsenal of zero-day exploits and vulnerabilities since HackingTeam's downfall in the mid-2010s. To put this in simpler terms, a zero-day is a security flaw unknown to the software maker, giving hackers a head start before a patch exists.
The attack sequence kicked off with deceptive phishing emails containing links to bogus websites that triggered the exploit. This zero-day enabled hostile code to breach Chrome's protective sandbox—a virtual 'jail' that isolates potentially dangerous processes—and then chained into a second exploit to execute the payload. And this is the part most people miss: the sheer sophistication behind it all.
Earlier this March (check out Kaspersky's initial report: https://securelist.com/operation-forumtroll/115989/), they described these operations as 'highly sophisticated.' In a fresh analysis released this week (found here: https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/), Kaspersky delved deeper, revealing a volatile server setup that vanished instantly after victims clicked, confirming engagement. This level of operational security is a rarity in advanced persistent threat (APT) campaigns, where attackers usually leave more digital breadcrumbs. For beginners, APTs are like long-term infiltration missions, not quick smash-and-grab jobs.
The phishing lures were anything but sloppy; they featured meticulously written Russian text, mimicking official invitations to events like the Primakov Readings forum. Kaspersky's Boris Larin elaborated: 'The attackers crafted emails posing as invites from forum organizers, with customized links to monitor infections. These messages were error-free, authentic in tone, and tailored for such gatherings. Mastery of Russian and local nuances sets the ForumTroll APT apart, as seen in prior efforts. That said, errors in some past campaigns hint that the perpetrators might not be native speakers.'
Despite Kaspersky's thorough investigation, they admit their insight into Memento Labs' Dante platform remains partial, as no platform modules have been recovered. Operations date back to 2022, coinciding with Russia's Ukraine invasion, and are plainly geared toward espionage. Kaspersky stops short of assigning blame to any nation or military unit, though the wink-wink nod is hard to ignore.
Memento Labs' trail extends across Russia, troubling local defenders. Dr.Web detected one phishing spree in September 2024 (read more: https://news.drweb.com/show/?i=14899&lng=en&c=5), while F6 has documented prior incidents under the Dante APT label (see their report: https://www.f6.ru/cybercrime-trends-annual-report-2024-2025/). Positive Technologies initially dubbed them TaxOff and Team46 (explored in: https://ptsecurity.com/research/pt-esc-threat-intelligence/team46-i-taxoff-dve-storony-odnoi-medali/), and connected the dots after Kaspersky's March revelations.
Piecing it together paints a picture of a relentless, well-resourced adversary excelling at pinpoint assaults on Russian-speaking audiences. Previous studies on the Dante-wielding actor, echoed in today's Kaspersky findings, include Dr.Web's early malware flagging with 'DANTEMARK' (via st.drweb.com/static/new-w...), F6's 'Dante APT' tagging (www.f6.ru/cybercrime-t...), and Positive Technologies' linkage of ForumTroll to other clusters (global.ptsecurity.com/en/research/...). As Oleg Shakirov tweeted on October 27, 2025, these connections are shaping a clearer threat landscape.
And here's where it gets controversial: is this group's resurgence a symptom of unchecked cyber arms proliferation, or a justified response in geopolitics? Could nations turning a blind eye to such activities be enabling digital warfare?
Shifting gears to our latest audio show, the main Risky Business podcast now includes video episodes on YouTube. Catch the newest weekly installment hosted by Pat and Adam!
Breaches, Hacks, and Security Incidents
Tragic fallout from a UK Ministry of Defense leak: Forty-nine Afghans perished after loved ones or coworkers were exposed in a data spill by the UK MoD. The government revealed details of 19,000 Afghan allies who aided UK forces in the war. Forty percent reported Taliban death threats post-leak in February 2022, with others enduring assaults and torture. (Further details from Arab News: https://www.arabnews.com/node/2620490/world)
F5's breach threatens growth: Tech giant F5 anticipates slower revenue increases in the upcoming quarters due to a recent cyber intrusion. CEO Francois Locoh-Donou informed investors of boosted cybersecurity spending. The breach, disclosed earlier this month, involved suspected Chinese state hackers infiltrating in late 2023 to pilfer source code and vulnerability intel. (More in Axios: https://www.axios.com/2025/10/27/f5-cyberattack-earnings-revenue-hit)
GCash probe underway: Philippine officials are probing a suspected data breach of the GCash mobile payment app. Alleged stolen data surfaced on a dark web forum, encompassing account numbers, names, and Know Your Customer (KYC) info. GCash acknowledges the post but hasn't verified the breach. (Coverage from Philippine News Agency: https://www.pna.gov.ph/articles/1261878)
Svenska Kraftnät servers compromised: Intruders accessed file servers at Sweden's government-run power grid firm, Svenska Kraftnät (details: https://www.svk.se/press-och-nyheter/nyheter/allmanna-nyheter/2025/svenska-kraftnat-har-blivit-utsatta-for-ett-dataintrang/). No energy disruptions occurred, but the Everest ransomware crew claimed responsibility. (Read SecurityWeek: https://www.securityweek.com/hackers-target-swedish-power-grid-operator/)
Conduent's extended breach timeline: In regulatory filings (available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/389e9d0d-8e23-497d-aaab-1c4c8a80707f.html), tech contractor Conduent clarified that a January-revealed breach actually started in October 2024.
Gloversville pays up: New York's Gloversville city succumbed to a March ransomware assault, coughing up $150,000 for system recovery. (News10 story: https://www.news10.com/news/fulton-county/city-of-gloversville-hit-by-ransomware-attack/)
House Democrats' resume exposure: An improperly secured database spilled CVs of over 7,000 job applicants to the US House Democrats. The breach stemmed from an unprotected resume storage server. Safety Detectives (report: https://www.safetydetectives.com/news/domewatch-breach-report/) noted the lack of passwords or encryption.
General Tech and Privacy
Azure's new CAPTCHA: Microsoft introduced CAPTCHA challenges (learn more: https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/general-availability-of-captcha-in-azure-front-door-waf/4464704) to its Azure FrontDoor firewall. Starlink users, take note—this might soon be your daily puzzle!
Swift arrives on Android: Apple unveiled the initial beta of Swift for Android (via MacRumors: https://www.macrumors.com/2025/10/26/developers-can-make-android-apps-with-swift/), empowering coders to build Android apps using the Swift language.
Twitter security key renewal: X, phasing out its old domain, is urging users (tweet: https://x.com/safety/status/1981764501947953225) to re-register security keys in the next two weeks. Failure to do so by November 10 could lock accounts.
Microsoft Store app removals: Admins can now delete pre-installed Microsoft Store apps (guidance: https://m365admin.handsontek.net/policy-based-removal-pre-installed-microsoft-store-apps/).
Australia takes on Microsoft: The country's consumer watchdogs sued Microsoft for allegedly deceiving buyers into paying extra for Microsoft 365 with unwanted AI upgrades. (The Guardian coverage: https://www.theguardian.com/australia-news/2025/oct/27/microsoft-sued-allegedly-misleading-millions-australians-ai-pricing-ntwnfb)
Clearview AI faces charges: Privacy advocates at noyb lodged a criminal case (details: https://noyb.eu/en/criminal-complaint-against-facial-recognition-company-clearview-ai) against Clearview AI and its executives for defying GDPR penalties in five nations and flouting bans while scraping billions of EU photos unauthorized for law enforcement facial tech.
Musk's Grokipedia debut: Elon Musk rolled out Grokipedia (site: https://grokipedia.com/), his AI-generated Wiki knockoff powered by Grok, rife with lifted content (The Verge analysis: https://www.theverge.com/news/807686/elon-musk-grokipedia-launch-wikipedia-xai-copied) from the original Wikipedia.
Chrome enforces HTTPS: From October next year, Google Chrome will default to secure HTTPS for all sites, warning on insecure HTTP attempts. This update, in version 154, builds on the 95% of traffic already secured (Google's post: https://security.googleblog.com/2025/10/https-by-default.html).
Government, Politics, and Policy
Europol urges anti-spoofing action: Europol called for international cooperation (statement: https://www.europol.europa.eu/media-press/newsroom/news/fake-number-real-damage-europol-urges-action-against-caller-id-spoofing) to curb caller ID spoofing, advocating tracing tools to block fraudulent calls used in scams.
Trump picks cyber expert for Coast Guard: The White House nominated former Coast Guard Cyber Command head Admiral Kevin Lunday (Wikipedia: https://en.wikipedia.org/wiki/Kevin_Lunday) as the service's next chief. He led the cyber unit from 2016-2018 and has been interim commander since Trump's recent inauguration. (DefenseScoop: https://defensescoop.com/2025/10/27/adm-kevin-lunday-coast-guard-commandant-nomination-trump/)
In this sponsor chat, Patrick Gray discusses with Knocknoc's CEO Adam Pointon why true Zero Trust setups falter. Adding ZTNA for key apps and SSO everywhere is a start, but is it truly Zero Trust? How did we end up here?
Arrests, Cybercrime, and Threat Intel
Italy's mega-hacking plea deals: Fifteen individuals in Italy plan to plead guilty this month to a elaborate hacking-extortion ring. Linked to Equalize, they breached government databases for elite dossiers. Police stumbled on it monitoring a mafia associate demanding ransoms. Four were nabbed last October (The Record: https://therecord.media/italy-arrests-illegal-dossiers-private-intelligence), led by ex-police inspector Carmine Gallo, who died in March. (Politico: https://www.politico.eu/article/italy-milan-hackers-carmine-gallo-enrico-pazzali-samuele-calamucci-equalize-mercury-advisors/)
More SMS arrests in Philippines: Philippine police collared two men last week for distributing spam SMS from vehicles in Manila, mimicking telecoms in financial hubs and malls. Unconnected personally, they followed orders from a shared Chinese handler. (CommsRisk: https://commsrisk.com/same-chinese-boss-gave-orders-to-two-separate-metro-manila-sms-blaster-drivers/)
Malicious npm with CAPTCHA trick: Socket Security uncovered 10 tainted npm packages (blog: https://socket.dev/blog/10-npm-typosquatted-packages-deploy-credential-harvester) using CLI CAPTCHAs to fool users into thinking they're legit, ultimately stealing credentials.
Siberislam profile: Nordic Monitor profiled Siberislam (or Mutarrif), the hacktivist crew behind North American airport display hacks, tying them to Turkey's IBDA-C extremist group, tolerated locally and al-Qaeda-connected. (Article: https://nordicmonitor.com/2025/10/cyber-jihad-from-turkey-erdogan-protected-al-qaeda-faction-hacked-us-canadian-airports/)
Water Saci links to Coyote: Trend Micro found potential ties (research: https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html) between Brazilian-targeting WhatsApp worm group Water Saci and Coyote banking trojan developers.
Malware Technical Reports
GhostGrab emerges: CyFirma identified GhostGrab (analysis: https://www.cyfirma.com/research/ghostgrab-android-malware/), a novel Android banking trojan that steals info, mines crypto, and more.
Herodotus trojan: ThreatFabric revealed Herodotus (report: https://www.threatfabric.com/blogs/new-android-malware-herodotus-mimics-human-behaviour-to-evade-detection), possibly tied to Brokewell, with typing delays to mimic human behavior against fraud detectors.
Atroposia RAT: Varonis spotted Atroposia (blog: https://www.varonis.com/blog/atroposia-rat), a MaaS RAT with lateral movement scanners.
Midnight decrypter free: Avast provided a no-cost tool (details: https://www.gendigital.com/blog/insights/research/midnight-ransomware) for Midnight ransomware victims to decrypt files, exploiting bugs from Babuk code reuse.
Trigona hits MSSQL: AhnLab examined Trigona (Mimic) attacks on databases (post: https://asec.ahnlab.com/en/90793/).
Qilin methods: Cisco Talos detailed Qilin's ransomware tactics (report: https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/), the busiest this year.
In this demo, Knocknoc's Adam Pointon shows Patrick Gray the platform that secures access via existing gear without agents, including identity-aware proxies for web and RDP.
APTs, Cyber-Espionage, and Info-Ops
GhostCall and GhostHire: Kaspersky covered BlueNoroff's crypto-focused campaigns (report: https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/), using fake meetings and jobs, with AI-accelerated malware for Windows/macOS.
KittenBusters leak: The group released APT35 (Charming Kitten) docs, including finances funded by $10,000 operations linked to Tehran’s Shuhada base (Nariman Gharib: https://blog.narimangharib.com/posts/2025%2F10%2F1761609810950?lang=en).
AI chatbots spread Russian propaganda: Four AIs returned Kremlin narratives on Ukraine for 18% of queries, per Institute for Strategic Dialog (report: https://www.isdglobal.org/digital_dispatches/talking-points-when-chatbots-surface-russian-state-media/), echoed by others.
Vulnerabilities, Security Research, and Bug Bounty
XWiki mining attacks: Hackers exploit CVE-2025-24893 (NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24893) for cryptominers; VulnCheck detected via canaries (post: https://www.vulncheck.com/blog/xwiki-cve-2025-24893-eitw).
DELMIA exploits: CISA noted two vulnerabilities abused post-patch (alert: https://www.cisa.gov/news-events/alerts/2025/10/28/cisa-adds-two-known-exploited-vulnerabilities-catalog); second round this year (prior: https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-adds-one-known-exploited-vulnerability-catalog).
Unpatched WSO2 flaws: Lexfo flagged nearly a dozen bugs (analysis: https://blog.lexfo.fr/wso2.html), including RCE, with PoCs; only one fixed (CVE-2025-5717).
Old Bluetooth write-up: Synacktiv on CVE-2023-40129 (write-up: https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack), a zero-interaction Android exploit.
macOS bugs: Karol Mazurek on LPE (CVE-2025-10016) and TCC bypass (CVE-2025-10015) with PoCs (post: https://afine.com/threats-of-unvalidated-xpc-clients-on-macos/).
TEE.Fail attack: New CPU flaw breaking Intel/AMD TEEs (site: https://tee.fail/), after prior breaches like RMPocalypse.
Atlas CSRF: LayerX on CSRF in OpenAI Atlas stealing ChatGPT access (blog: https://layerxsecurity.com/blog/layerx-identifies-vulnerability-in-new-chatgpt-atlas-browser/), amid multiple issues—steer clear!
Infosec Industry
Reports from: Check First (https://checkfirst.network/disinfo2025-our-key-takeaways-from-the-eu-disinfolabs-annual-conference/), Cloudflare (https://blog.cloudflare.com/pq-2025/), CyFirma (https://www.cyfirma.com/research/global-cyber-threat-landscape/), Gen Digital (https://www.gendigital.com/blog/insights/reports/threat-report-q3-2025), GlobalData (https://www.globaldata.com/media/insurance/cyber-insurance-demand-surges-amid-heightened-geopolitical-tensions-reveals-globaldata/), Intruder (https://www.intruder.io/downloads/exposure-management-index), NCC Group (https://www.nccgroup.com/newsroom/ncc-group-monthly-threat-pulse-review-of-september-2025).
ATT&CK v18: MITRE updated the framework (post: https://medium.com/mitre-attack/attack-v18-8f82d839ee9e; updates: https://attack.mitre.org/resources/updates/).
New tools: readwrite newsletter (https://buttondown.com/readwrite) for OSINT tips; Find-WSUS (https://github.com/mubix/Find-WSUS) for WSUS configs vs. CVE-2025-59287; Zegermans (https://github.com/rootcathacking/zegermans) for German password spraying; GlobalCVE (https://globalcve.xyz/) for vuln intel; Guilty-As-Yara (https://github.com/Sam0rai/guilty-as-yara) for YARA testing.
Conference videos: BSides Dublin 2025 (YouTube: https://www.youtube.com/@securitybsidesdublin/videos); No Hat 2025 (playlist: https://www.youtube.com/playlist?list=PLHAChCRZgm7OorEqngHQh9-mtoBhKwo6d).
Risky Business Podcasts
Between Two Nerds: Tom Uren and The Grugq analyze a Chinese CERT claim of NSA hacking their time service.
Seriously Risky Business: Tom Uren and Amberleigh Jack explore leveraging America's private sector for scaled cyber offenses, including espionage, disruptions, ransomware, and crypto scams.
What do you think—should governments crack down harder on spyware legacies like this, or is it inevitable in today's digital arms race? Do you agree that AI-driven tools in cyberattacks raise ethical red flags? Share your views in the comments; let's discuss!
