Spyware’s Unkillable Legacy: From Hacking Team to Memento Labs

According to TechCrunch, cybersecurity researchers at Kaspersky discovered a new spyware called Dante targeting Windows users in Russia and Belarus, created by Milan-based surveillance company Memento Labs. Memento CEO Paolo Lezzi confirmed the spyware belongs to his company and blamed a government customer for using an outdated version that will no longer be supported by year’s end. Kaspersky identified the hacking group as “ForumTroll,” which targeted Russian media, universities, and government organizations using phishing links exploiting a Chrome zero-day vulnerability. The discovery comes after Memento’s predecessor Hacking Team faced multiple scandals, including a 2015 hack that exposed 400GB of internal data revealing customers in countries with human rights abuses targeting journalists and dissidents.

The Surveillance Industrial Complex’s Rebirth Problem

The Memento Labs story reveals a disturbing pattern in the surveillance technology industry: companies can die from scandals, but their technology and business models prove remarkably resilient. When Hacking Team collapsed after the 2015 hack exposed its dealings with repressive regimes, many assumed the market would self-correct. Instead, we see what cybersecurity researchers call the “zombie company” phenomenon – where failed surveillance firms are acquired for pennies (Lezzi paid just one euro) and rebranded, often continuing similar operations with minimal oversight. This pattern suggests that demand for sophisticated surveillance tools from government clients creates an almost fail-proof business model, regardless of ethical breaches or technical compromises.

The Fundamental Customer Accountability Gap

Lezzi’s response highlights a critical weakness in the spyware industry’s self-regulation: companies can claim they’ve reformed while their products continue to be misused by the same types of clients. His statement that he “thought the government customer didn’t even use it anymore” reveals how little control these companies actually exercise over their products post-sale. Unlike legitimate software companies that can remotely disable unauthorized use, spyware vendors operate in a legal gray area where they benefit from plausible deniability about how their tools are deployed. This creates a perverse incentive structure where companies can profit from selling to problematic regimes while maintaining public distance from the consequences.

The Dangerous Legacy of Technical Debt

The discovery that Memento’s Dante spyware contains remnants of Hacking Team’s codebase demonstrates how technical debt in surveillance software creates ongoing security risks. When Phineas Fisher leaked Hacking Team’s source code in 2015, it created a permanent reference library for security researchers to identify signature patterns and vulnerabilities. The fact that Memento’s new spyware still bears recognizable markers (including the “DANTEMARKER” identifier) suggests that completely rebuilding sophisticated surveillance platforms from scratch remains technically challenging, forcing companies to reuse compromised codebases. This technical inheritance creates what security experts call “detection inheritance” – where new products can be identified using signatures from their predecessors.

The Quiet Consolidation of the Surveillance Market

Memento’s evolution from Hacking Team’s ashes reflects broader market consolidation trends in the commercial surveillance industry. Where Hacking Team once boasted over 40 government customers, Memento implies it has fewer than 100 today – still a significant footprint for a company with minimal public presence. This suggests the market is maturing toward a smaller number of more sophisticated providers serving a stable client base of government agencies. The shift from Windows to mobile platforms that Lezzi mentions aligns with global surveillance trends, as mobile devices become the primary communication tool for targets of interest. However, the continued use of outdated Windows spyware reveals how government customers often lag behind technological shifts, creating security vulnerabilities through inertia.

The Regulatory Vacuum and Its Consequences

As Citizen Lab researcher John Scott-Railton noted, the persistence of companies like Memento demonstrates the need for stronger consequences in the surveillance technology space. The current regulatory environment allows companies to fail spectacularly yet reemerge with minimal changes to their business practices. What’s missing are comprehensive export controls, mandatory human rights due diligence requirements, and meaningful accountability for companies whose products are repeatedly linked to abuses. Without these safeguards, the cycle of scandal, rebranding, and continuation will likely persist, with each iteration potentially more sophisticated and harder to detect than the last.

The Evolving Threat Landscape

The combination of Memento’s development of zero-day exploits and their sourcing from external developers points toward an increasingly modular and specialized surveillance ecosystem. Rather than single companies developing complete attack chains, we’re seeing the emergence of a surveillance supply chain where different entities specialize in various components – from exploit development to implantation to data exfiltration. This distributed model makes accountability even more challenging while potentially lowering barriers to entry for new surveillance providers. As the industry fragments, the traditional company-customer relationship becomes more opaque, creating additional challenges for researchers, regulators, and civil society groups attempting to track and counter surveillance abuses.