The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky.
The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown.
“While the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions,” security researcher Georgy Kucherin said.
Operation ForumTroll refers to a series of sophisticated phishing attacks exploiting a then-zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and a spyware implant known as Dante.
The latest attack wave also commences with emails that claimed to be from eLibrary, a Russian scientific electronic library, with the messages sent from the address “support@e-library[.]wiki.” The domain was registered in March 2025, six months before the start of the campaign, suggesting that preparations for the attack had been underway for some time.
Kaspersky said the strategic domain aging was done to avoid raising any red flags typically associated with sending emails from a freshly registered domain. In addition, the attackers also hosted a copy of the legitimate eLibrary homepage (“elibrary[.]ru”) on the bogus domain to maintain the ruse.
The emails instruct prospective targets to click on an embedded link pointing to the malicious site to download a plagiarism report. Should a victim follow through, a ZIP archive with the naming pattern “
What’s more, these links are designed for one-time use, meaning any subsequent attempts to navigate to the URL cause it to display a Russian language message stating “Download failed, please try again later.” In the event, the download is attempted from a platform other than Windows, the user is prompted to “try again later on a Windows computer.”
“The attackers also carefully personalized the phishing emails for their targets, specific professionals in the field,” the company said. “The downloaded archive was named with the victim’s last name, first name, and patronymic.”
The archive contains a Windows shortcut (LNK) with the same name, which, when executed, runs a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload then contacts a URL to fetch a final-stage DLL and persist it using COM hijacking. It also downloads and displays a decoy PDF to the victim.
The final payload is a command-and-control (C2) and red teaming framework known as Tuoni, enabling the threat actors to gain remote access to the victim’s Windows device.
“ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022,”…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
