For over a decade, the Security Analyst Summit (SAS) has been one of the top events in the cybersecurity industry for advanced threat research. Hosted by Kaspersky, SAS is where the company reveals its most complicated investigations. This year’s event followed that tradition and introduced Dante, a new spyware strain linked to one of the world’s most advanced threat groups.
“SAS has been our platform for 12 to 15 years now,” said Anton Ivanov, Kaspersky’s Chief Technology Officer. “It is where we share our best findings. Our most complex investigations first appear here.”
Ivanov offered insights into shifts in the threat landscape, from new espionage tools to the growing impact of artificial intelligence on cyberattacks. He also explained why markets like India are becoming key to Kaspersky’s global cybersecurity strategy.
Dante: A New Multilayered Spyware Emerges From the Shadows
This year’s major discovery at SAS was Dante, a newly identified spyware connected to ForumTroll, an advanced persistent threat (APT) group involved in targeted operations. According to Ivanov, the first signs of the malware appeared through anomalies collected from Kaspersky’s extensive global telemetry.
“Kaspersky has a significant presence across continents and millions of relationships with users,” he said. “When users decide to share telemetry with our researchers, we can identify anomalies early.”
These anomalies appeared as signals of a new exploit—an “unknown entity” acting differently from anything previously seen. This prompted immediate alerts within Kaspersky’s security operations, starting a deeper, weeks-long investigation.
How Dante Was Found: Inside Operation ForumTroll
Kaspersky found Dante while investigating Operation ForumTroll, an APT campaign that exploited a Google Chrome zero-day vulnerability. The attackers carried out a carefully targeted phishing operation, sending fake invitations to the “Primakov Readings” conference—a well-known academic forum—to:
– Russian media organizations
– Government institutions
– Universities and research centers
– Banks and financial companies
These emails contained links that exploited the Chrome zero-day, allowing for stealthy installation of spyware.
LeetAgent: The First Clue
The first discovery in this attack chain was a spyware sample named LeetAgent by Kaspersky, because it used leetspeak-style encrypted commands.
However, LeetAgent was just the surface layer. Further reverse engineering uncovered that:
– The malware was communicating with—and sometimes launching—a more sophisticated spyware framework.
– Several attack clusters showed signs of a completely different, more advanced intrusion platform.
– The hidden malware had many layers of obfuscation, making it very hard to identify.
Despite the complexity, Kaspersky analysts found a key clue in the code: the name Dante, hidden deep within one of the encrypted modules.
Linking Dante to Memento Labs and HackingTeam
As researchers investigated more, they found that Dante resembled more than just another APT tool. Code similarities, structural components, and behavior patterns connected Dante to a commercial spyware suite sold by Memento Labs, the company that took over the controversial Milan-based surveillance vendor HackingTeam.
HackingTeam was famous for selling surveillance capabilities to governments. Their flagship product, the Remote Control System (RCS) spyware, shares several traits with Dante, including command-and-control behavior, data exfiltration techniques, and modular design.
“The latest samples of HackingTeam’s RCS spyware showed similarities to Dante,” Ivanov stated. “The link was confirmed through code analysis.”
This finding clarifies how commercial surveillance frameworks, initially made for government clients, may appear in APT-level attacks worldwide.
“Dante Is Multilayered”: Why the Spyware Is So Complex
Ivanov described Dante not as a single malware sample, but as a multi-component espionage system. Its complexity comes from:
– Modular design enabling flexible deployment
– Multiple layers of obfuscation
– Polymorphic payloads
– Strong anti-analysis measures
– Multi-stage loaders and decoys
“Dante is multilayered,” Ivanov explained. “You need to investigate the antivirus several times to fully understand what’s happening.”
Its design lets attackers:
– Keep long-term surveillance
– Move across networks
– Steal documents and credentials
– Execute arbitrary code
– Establish lasting footholds
This level of sophistication is usually seen only in state-sponsored or commercially developed cyber-espionage systems.
The Role of Telemetry in Early Detection
Ivanov emphasized that these complex investigations are possible thanks to Kaspersky’s extensive product installation base.
“When millions of users choose to share telemetry data, we gain visibility across sectors and regions,” he said.
This data enables Kaspersky’s Threat Intelligence Platform to:
– Detect emerging exploits quickly
– Correlate attack patterns by region
– Send early-warning alerts to enterprise customers
– Identify sector-specific threats (e.g., financial, government, education)
– Track APT infrastructure developments
In Dante’s case, this telemetry was crucial. Without it, the malware might have stayed unnoticed in high-value environments.
AI Is Transforming Cyberattacks Faster Than Defenders Can Respond
The conversation shifted dramatically as Ivanov discussed a significant change in cybersecurity: the rise of AI-powered attacks.
He noted that generative AI has drastically changed how adversaries function.
“GenAI provides a lot of assistance for attackers right now,” Ivanov said. “I expect that in 2 to 3 years, most attacks will be fully automated with AI.”
How Attackers Are Using AI Right Now
Ivanov outlined several ways threat actors are currently using AI:
– Creating phishing websites in minutes
– Automatically generating misleading content, images, and emails
– Producing malicious JavaScript to manipulate browsers
– Conducting full-scale AI-assisted reconnaissance
– Automating exploitation chains
– Speeding up malware development and deployment
AI significantly lowers the entry barriers for cybercrime, enabling low-skill attackers to conduct operations that once required extensive technical know-how.
AI-Powered Defense: Kaspersky’s New Strategy
While attackers benefit from generative models, Ivanov emphasized that defenders are also innovating.
Kaspersky is incorporating AI into various layers of its security products:
– Automatically summarizing threat intelligence reports
– Providing action recommendations for security teams
– Automating response processes within SOC platforms
– Recognizing patterns for anomalies in real time
“These features greatly reduce response times,” Ivanov said.
AI Assisting Analysts Internally
Within the company, AI tools help Kaspersky’s security researchers:
– Analyze malware more quickly
– Organize threat clusters
– Prioritize alerts
– Create simplified, user-friendly reports
– Manage threat intelligence feeds
“In a world where cybersecurity talent is limited globally, AI becomes a powerful addition,” Ivanov added. “Our AI analyst helps users understand which threats are most relevant to them.”
India: A Critical Market and a Rising Cybersecurity Hotspot
Ivanov pointed out that India is now one of Kaspersky’s most vital global markets, both for business and threat research.
“India is a key focus area for us,” he said. “The volume and sophistication of attacks in the country are very high.”
The Scale of Attacks in India
Kaspersky’s telemetry shows:
– Over 600,000 ransomware attacks detected in India last year
– More than 12 million phishing attempts, mainly targeting enterprises
According to Ivanov, ransomware gangs in India are showing increasingly destructive behaviors:
“They attempt to destroy or completely halt business processes before demanding ransom,” he said.
Rising Hacktivism
Another trend in India is an increase in hacktivist activity. These groups can:
– Disrupt websites
– Deface portals
– Target government agencies
– Interrupt business operations
“They can seriously harm businesses, so enterprises need sophisticated solutions,” Ivanov warned.
Kaspersky Expands Its India Presence
To meet the growing demand for security:
Kaspersky offers incident response, managed detection, and threat intelligence services in India.
The local team includes solution architects, support engineers, and threat researchers.
The impact is evident in the company’s regional growth:
– 24% growth in India in 2024
– 20% growth in B2B
– 30% growth in B2C
These figures position India as one of Kaspersky’s fastest-growing markets in South Asia.
The Road Ahead: Automation as the Future of Cybersecurity
Kaspersky’s engineering capability is still one of its key strengths globally. Ivanov shared that the company’s Global Research and Analysis Team (GReAT) includes over 100 engineers, and its dedicated research divisions have more than 200 specialists.
“We are an engineering company. We are hiring everywhere,” he said.
However, Ivanov acknowledged that simply hiring cannot match the scale and automation of modern threats. This is why Kaspersky is investing heavily in automated cyber defense tools.
“Threats are becoming more automated,” he stated. “Our defenses must also become more automated.”
AI-Driven Development Inside Kaspersky
Internally, the adoption of generative AI tools has already improved developer productivity by 15%, Ivanov noted.
As AI-driven attacks increase, Kaspersky believes that the future of cybersecurity will focus on:
– Automated detection
– Automated triage
– Automated response
– Autonomous threat analysis
“This level of automation is essential,” Ivanov concluded. “That is the future of cybersecurity.”
