techcrunch.com/
Lorenzo Franceschi-Bicchierai
10:00 PM PDT · October 28, 2025
On Monday, researchers at cybersecurity giant Kaspersky published a report identifying a new spyware called Dante that they say targeted Windows victims in Russia and neighboring Belarus. The researchers said the Dante spyware is made by Memento Labs, a Milan-based surveillance tech maker that was formed in 2019 after a new owner acquired and took over early spyware maker Hacking Team.
Memento chief executive Paolo Lezzi confirmed to TechCrunch that the spyware caught by Kaspersky does indeed belong to Memento.
In a call, Lezzi blamed one of the company’s government customers for exposing Dante, saying the customer used an outdated version of the Windows spyware that will no longer be supported by Memento by the end of this year.
“Clearly they used an agent that was already dead,” Lezzi told TechCrunch, referring to an “agent” as the technical word for the spyware planted on the target’s computer.
“I thought [the government customer] didn’t even use it anymore,” said Lezzi.
Lezzi, who said he was not sure which of the company’s customers were caught, added that Memento had already requested that all of its customers stop using the Windows malware. Lezzi said the company had warned customers that Kaspersky had detected Dante spyware infections since December 2024. He added that Memento plans to send a message to all its customers on Wednesday asking them once again to stop using its Windows spyware.
He said that Memento currently only develops spyware for mobile platforms. The company also develops some zero-days — meaning security flaws in software unknown to the vendor that can be used to deliver spyware — though it mostly sources its exploits from outside developers, according to Lezzi.
When reached by TechCrunch, Kaspersky spokesperson Mai Al Akkad would not say which government Kaspersky believes is behind the espionage campaign, but that it was “someone who has been able to use Dante software.”
“The group stands out for its strong command of Russian and knowledge of local nuances, traits that Kaspersky observed in other campaigns linked to this [government-backed] threat. However, occasional errors suggest that the attackers were not native speakers,” Al Akkad told TechCrunch.
In its new report, Kaspersky said it found a hacking group using the Dante spyware that it refers to as “ForumTroll,” describing the targeting of people with invites to Russian politics and economics forum Primakov Readings. Kaspersky said the hackers targeted a broad range of industries in Russia, including media outlets, universities, and government organizations.
Kaspersky’s discovery of Dante came after the Russian cybersecurity firm said it detected a “wave” of cyberattacks with phishing links that were exploiting a zero-day in the Chrome browser. Lezzi said that the Chrome zero-day was not developed by Memento.
In its report, Kaspersky researchers concluded that Memento “kept improving” the spyware originally developed by Hacking Team until 2022, when the spyware was “replaced by Dante.”
Lezzi conceded that it is possible that some “aspects” or “behaviors” of Memento’s Windows spyware were left over from spyware developed by Hacking Team.
A telltale sign that the spyware caught by Kaspersky belonged to Memento was that the developers allegedly left the word “DANTEMARKER” in the spyware’s code, a clear reference to the name Dante, which Memento had previously and publicly disclosed at a surveillance tech conference, per Kaspersky.
Much like Memento’s Dante spyware, some versions of Hacking Team’s spyware, codenamed Remote Control System, were named after historical Italian figures, such as Leonardo da Vinci and Galileo Galilei.
A history of hacks
In 2019, Lezzi purchased Hacking Team and rebranded it to Memento Labs. According to Lezzi, he paid only one euro for the company and the plan was to start over.
“We want to change absolutely everything,” the Memento owner told Motherboard after the acquisition in 2019. “We’re starting from scratch.”
A year later, Hacking Team’s CEO and founder David Vincenzetti announced that Hacking Team was “dead.”
When he acquired Hacking Team, Lezzi told TechCrunch that the company only had three government customers remaining, a far cry from the more than 40 government customers that Hacking Team had in 2015. That same year, a hacktivist called Phineas Fisher broke into the startup’s servers and siphoned off some 400 gigabytes of internal emails, contracts, documents, and the source code for its spyware.
Before the hack, Hacking Team’s customers in Ethiopia, Morocco, and the United Arab Emirates were caught targeting journalists, critics, and dissidents using the company’s spyware. Once Phineas Fisher published the company’s internal data online, journalists revealed that a Mexican regional government used Hacking Team’s spyware to target local politicians and that Hacking Team had sold to countries with human rights abuses, including Bangladesh, Saudi Arabia, and Sudan, among others.
Lezzi declined to tell TechCrunch how many customers Memento currently has but implied it was fewer than 100 customers. He also said that there are only two current Memento employees left from Hacking Team’s former staff.
The discovery of Memento’s spyware shows that this type of surveillance technology keeps proliferating, according to John Scott-Railton, a senior researcher who has investigated spyware abuses for a decade at the University of Toronto’s Citizen Lab.
It also shows that a controversial company can die because of a spectacular hack and several scandals, and yet a new company with brand-new spyware can still come out of its ashes.
“It tells us that we need to keep up the fear of consequences,” Scott-Railton told TechCrunch. “It says a lot that echoes of the most radioactive, embarrassed and hacked brand are still around.”
Gli accertamenti della Procura sul generale della Guardia di Finanza Cosimo Di Gesù per possibili accessi abusivi al database del Viminale richiesti da Enrico Pazzali
Se non amici fraterni, certo buoni conoscenti e probabilmente estimatori l’uno dell’altro. Fino a quando il primo, l’ex presidente della Fondazione Fiera Enrico Pazzali, viene coinvolto nell’inchiesta milanese sui dossieraggi illegali della società Equalize, e il secondo, il generale Cosimo Di Gesù, comandante dell’Accademia della Guardia di Finanza, suo malgrado, finisce nei verbali di alcuni indagati come persona vicina a Pazzali. Ora, però, la recente analisi della copia forense dei cellulari di Pazzali solleva un’ipotesi investigativa degli inquirenti, ovvero che lo stesso Di Gesù possa avere fatto per conto dell’amico Pazzali accessi abusivi al database del Viminale, spulciando alcuni Sdi o dati riservati di aziende segnalate dall’ex manager pubblico nel marzo 2020 quando prendeva piede il progetto della costruzione dell’ospedale Covid in Fiera. Allo stato Di Gesù non risulta indagato e le verifiche sono in corso. A stimolare gli inquirenti anche una sentenza delle Sezioni unite della Corte di Cassazione per la quale il reato di accesso abusivo a un sistema informatico si applica anche a quel pubblico ufficiale che pur avendone facoltà lo consulta “per ragioni ontologicamente estranee rispetto a quelle per le quali la facoltà di accesso gli è stata attribuita”. Sempre nelle chat di Pazzali emerge che anche il presidente del Tribunale di Milano Fabio Roia nel 2020 fece un controllo su un manager di Fiera per conto di Pazzali. Verifica che secondo Roia, allo stato non indagato, rientra però in un formale e corretto rapporto giudiziario e di tutela visto che una ramo di Fiera Milano fu messo in amministrazione giudiziaria con un commissariamento concluso nel 2017.
Le chat tra Pazzali e Di Gesù risalgono a metà marzo del 2020. Il 21 marzo così Pazzali chiede informazioni “reputazionali” su sette aziende che, dirà Pazzali ai pm, dovevano lavorare per l’allestimento dell’ospedale. Di Gesù così risponde: “Lunedì mattina ti faccio sapere”. Poi scrive: “Anche noi siamo a scartamento ridotto”. Quindi un paio di giorni dopo sempre il comandante della Guardia di Finanza invia tutti i dati recuperati all’allora presidente della Fondazione Fiera elencando le varie criticità azienda per azienda: “Nel 2019 segnalata all’Anac perché ha fatto cartello in un appalto (…). Ha dato incarichi a dipendenti pubblici senza autorizzazione (…). Rapporti con Cosa nostra (…). Qualche piccola irregolarità fiscale (…). Ha utilizzato fatture inesistenti”. Insomma, secondo la Procura di Milano, quei dati erano accessibili solo attraverso terminali riservati. Di Gesù poi scrive: “Questa la situazione un po’ più di nuovo. Come ti dicevo non ho fatto la grossa”.
Gli inquirenti interpretano il termine “la grossa” come un accesso globale alla posizione Sdi e dunque, non avendola fatta, l’ipotesi è che il vertice della Finanza abbia fatto solo un accesso limitato. Ora, poi, qualche giorno prima di questa catena di chat, e cioè il 15 marzo, Di Gesù stimola Pazzali a chiedere a Fontana che domandi a sua volta al generale Giuseppe Zaffarana (all’epoca superiore di Di Gesù) di fargli una consulenza per il costruendo ospedale Covid: “Comunque Fontana potrebbe chiedere al generale Zaffarana la nostra collaborazione. Mia e dei tre miei ragazzi di Anac che, tienilo solo per te, vogliono rientrare perché lì ormai”. Quindi prospetta a Pazzali come entrare: “Magari con una convenzione al volo e solo per questa emergenza”. Quindi si raccomanda: “Ovviamente io e te non ci siamo mai sentiti. Se chiama il capo fammelo sapere”. Pazzali il 17 marzo esegue e avverte il governatore Attilio Fontana che subito si attiva, inviando al presidente di Fiera la risposta della segreteria di Zaffarana. Risposta che Pazzali inoltra a Di Gesù: “Il generale Zaffarana è impegnato in una call e subito dopo ne avrà un’altra. Potrebbe liberarsi nel pomeriggio. L’assistente chiede per agevolare: ‘Oggetto della chiamata’”. Al ché Di Gesù specifica l’oggetto a Pazzali: “Richiesta collaborazione per installazione ospedale in Fiera”. Tre giorni dopo Pazzali chiede e ottiene da Di Gesù i controlli sulle sette aziende.
www.axios.com
Sam Sabin
F5 warned shareholders Monday that it expects its revenue growth to slow over the next two quarters as many of its customers pause or slow down their buying decisions while responding to a recent major cyberattack.
Why it matters: The comments are the first from F5 about how much the nation-state attack — which was disclosed about two weeks ago — is likely going to impact the company's bottom line.
Driving the news: F5 CEO François Locoh-Donou said during the company's fourth-quarter earnings call that the company is increasing its internal cybersecurity investments as it responds to the highly sophisticated hack.
"We are disappointed that this has happened and very aware as a team and as a company of the burden that this has placed in our customers who have had to work long hours to upgrade" affected products, Locoh-Donou told investors on the call.
Catch up quick: Bloomberg reported the attackers are likely linked to the Chinese government and have been lurking in the company's systems since 2023.
Zoom in: So far, F5 has identified and notified an unspecified number of customers who have had their data stolen as a result of the hacks, Locoh-Donou said.
The company has also worked with thousands of customers in recent weeks to deploy security fixes with minimal operational disruptions, he added.
F5 will enhance its bug bounty program and is working with outside firms to review the security of its code for vulnerabilities, he said.
The company has also transitioned Michael Montoya, the company's security chief, to a new role as its chief technology operations officer to help further embed security into every aspect of the company's operations.
Yes, but: Locoh-Donou told shareholders that most affected customers have said their stolen data was not sensitive and "they're not concerned about it."
Threat level: Locoh-Donou said the company is "acutely aware" that nation-state hackers have been increasingly targeting networking security firms like F5 in recent years.
"We are committed to learning from this incident, sharing our insights with our peers and driving collaborative innovation to collectively strengthen the protection of critical infrastructure across the industry," he said.
By Reuters
October 29, 2025
BANGKOK, Oct 29 (Reuters) - India plans to send an airplane to repatriate some 500 of its nationals who fled from a military raid on a scam centre in Myanmar into Thailand, Thai Prime Minister Anutin Charnvirakul said on Wednesday.
Starting last week, the Myanmar military has conducted a series of military operations against the KK Park cybercrime compound, driving more than 1,500 people from 28 countries into the Thai border town of Mae Sot, according to local authorities.
The border areas between Thailand, Myanmar, Laos and Cambodia have become hubs for online fraud since the COVID-19 pandemic, and the United Nations says billions of dollars have been earned from trafficking hundreds of thousands of people forced to work in the compounds.
KK Park is notorious for its involvement in transnational cyberscams. The sprawling compound and others nearby are run primarily by Chinese criminal gangs and guarded by local militia groups aligned to Myanmar's military.
Anutin said the Indian ambassador would meet the head of immigration to discuss speeding up the legal verification process for the 500 Indian nationals ahead of their flight back to India.
"They don't want this to burden us," Anutin said. "They will send a plane to pick these victims up... the plane will land directly in Mae Sot," he said.
Indian foreign ministry spokesperson Randhir Jaiswal said India's embassy was working with Thailand "to verify their nationality and to repatriate them, after necessary legal formalities are completed in Thailand."
Earlier this year India also sent a plane to repatriate its nationals after thousands were freed from cyberscam centres along the Thai-Myanmar border following a regional crackdown.
Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition
TEE.fail:
Breaking Trusted Execution Environments via DDR5 Memory Bus Interposition
With the increasing popularity of remote computation like cloud computing, users are increasingly losing control over their data, uploading it to remote servers that they do not control. Trusted Execution Environments (TEEs) aim to reduce this trust, offering users promises such as privacy and integrity of their data as well as correctness of computation. With the introduction of TEEs and Confidential Computing features to server hardware offered by Intel, AMD, and Nvidia, modern TEE implementations aim to provide hardware-backed integrity and confidentiality to entire virtual machines or GPUs, even when attackers have full control over the system's software, for example via root or hypervisor access. Over the past few years, TEEs have been used to execute confidential cryptocurrency transactions, train proprietary AI models, protect end-to-end encrypted chats, and more.
In this work, we show that the security guarantees of modern TEE offerings by Intel and AMD can be broken cheaply and easily, by building a memory interposition device that allows attackers to physically inspect all memory traffic inside a DDR5 server. Making this worse, despite the increased complexity and speed of DDR5 memory, we show how such an interposition device can be built cheaply and easily, using only off the shelf electronic equipment. This allows us for the first time to extract cryptographic keys from Intel TDX and AMD SEV-SNP with Ciphertext Hiding, including in some cases secret attestation keys from fully updated machines in trusted status. Beyond breaking CPU-based TEEs, we also show how extracted attestation keys can be used to compromise Nvidia's GPU Confidential Computing, allowing attackers to run AI workloads without any TEE protections. Finally, we examine the resilience of existing deployments to TEE compromises, showing how extracted attestation keys can potentially be used by attackers to extract millions of dollars of profit from various cryptocurrency and cloud compute services.
| The Record from Recorded Future News
Daryna Antoniuk
October 27th, 2025
The utility responsible for operating Sweden's power grid is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.
Sweden’s power grid operator is investigating a data breach after a ransomware group threatened to leak hundreds of gigabytes of purportedly stolen internal data.
State-owned Svenska kraftnät, which operates the country’s electricity transmission system, said the incident affected a “limited external file transfer solution” and did not disrupt Sweden’s power supply.
“We take this breach very seriously and have taken immediate action,” said Chief Information Security Officer Cem Göcgören in a statement. “We understand that this may cause concern, but the electricity supply has not been affected.”
The ransomware gang Everest claimed responsibility for the attack on its leak site over the weekend, alleging it had exfiltrated about 280 gigabytes of data and saying it would publish it unless the agency complied with its demands.
The same group has previously claimed attacks on Dublin Airport, Air Arabia, and U.S. aerospace supplier Collins Aerospace — incidents that disrupted flight operations across several European cities in September. The group’s claims could not be independently verified.
Svenska kraftnät said it is working closely with the police and national cybersecurity authorities to determine the extent of the breach and what data may have been exposed. The utility has not attributed the attack to any specific threat actor.
“Our current assessment is that mission-critical systems have not been affected,” Göcgören said. “At this time, we are not commenting on perpetrators or motives until we have confirmed information.”
vxdb.sh Journalist | Cybercrime News |
It is human nature to be competitive, to try your best when competing against others. It is no different when it comes to video games. Major E-Sports tournament prize pools regularly reach the multi millions. Last year the CS2 PGL Major hosted in Copenhagen had a prize pool of $1.25M.
Outside of the Esports realm cheating is still very prevalent, from games like Fortnite, Apex Legends, CS2, even non competitive games like Minecraft or Roblox have cheating issues. Most if not all the top tier cheats aren't free. Instead they rely on a subscription-based monetization model, where users pay for access to private builds or regular updates designed to evade detection from the games AntiCheat. Cheat developers also utilize what are called resellers who advertise, and sell the cheat on behalf of the developers in exchange for a cut of the profits.
Most players don't want to or can't pay for premium/paid cheats so they hunt for free alternatives or cracked versions of paid cheats on sketchy forums, Youtube, or even Github. While some free cheats do exist, they usually don't have many features, are slower to update, and quickly detected by the AntiCheat, meaning they’ll get you banned fast, sometimes instantly. A significant portion of these “free” alternatives present security risks. In many cases, the download contains typically info stealers, Discord token grabbers, or RATs. In other instances, the advertised download is a working cheat but has malware executed in the background without the user knowing.
How threat actors spread their malware
Cybercriminals weaponize YouTube by posting videos that advertise free cheats, executors, or “cracked” cheats and then use the video description or pinned comments to funnel viewers to a download link. Many videos use the service Linkvertise which makes users go through a handful of ads and suspicious downloads to reach the final download link where the file is hosted on a site like MediaFire or Meganz. These videos are being posted on stolen or fake youtube accounts created and advertised by what are called Traffer Teams.
What are Traffers Teams?
"Traffer teams manage the entire operation, recruiting affiliates (traffers), handling monetization, and managing/crypting stealer builds. Traffer gangs recruit affiliates who spread the malware, often driving app downloads from YouTube, TikTok, and other platforms. Traffers are commonly paid a percentage of these stolen logs or receive a direct payment for installs. Traffer gangs will typically monetize these stolen logs by selling them directly to buyers or cashing out themselves." As per Benjamin Brundage CEO of Synthient.
In a recent upload by researcher Eric Parker, a YouTube channel was discovered repeatedly uploading videos advertising so-called “Valorant Skins Changer,” “Roblox Executor,” and similar “free hacks" all with oddly similar thumbnails. Each video’s description contained a download link that redirected users to a Google Sites page at "sites[.]google[.]com/view/lyteam".
This site is operated by a Traffer Team known as LyTeam, which promotes and distributes info-stealing malware under the guise of free game cheats.
Later in the same video, Eric Parker downloaded and analyzed a .dll file hosted on the LyTeam site. When uploaded to VirusTotal, the sample was identified to be a strain of the Lumma Stealer Malware, a well-known info-stealing malware family known for harvesting browser credentials and crypto wallets.
How to stay safe
Don't click random links and run files you find out on the internet, if needed use and AntiVirus software to scan files on your computer. Run sketchy files you find either in a virtual machine or sandbox, better yet use VirusTotal.
Staying safe doesn't mean you need to be paranoid 24/7, it's about awareness.
Thank you for reading,
vxdb :)
