Operation ForumTrol, a sophisticated advanced persistent threat (APT) group, has launched a new targeted phishing campaign specifically aimed at Russian political scientists and researchers. This latest operation, which began in March 2025 with the exploitation of a zero-day vulnerability in Google Chrome (CVE-2025-2783), showcases the group’s continued focus on high-value targets within Russia. Previously, ForumTrol was known for deploying rare malware such as the LeetAgent backdoor and Dante spyware, developed by Memento Labs.
In contrast to their earlier campaign that targeted organizations, Operation ForumTrol’s current efforts are concentrated on individual scholars. These academics specialize in political science, international relations, and global economics and are affiliated with major Russian universities and research institutions. The attack campaign is characterized by meticulously crafted phishing emails sent from the address support@e-library[.]wiki, which impersonates the legitimate scientific electronic library eLibrary, a well-known resource for academics.
Operation ForumTrol’s Sophisticated Phishing Tactics
The phishing messages received by targeted individuals urge them to download plagiarism reports. These reports are accessible via malicious links formatted as https://e-library[.]wiki/elib/wiki.php?id=. Upon clicking these deceptive links, recipients are prompted to download personalized archive files. These files are uniquely named using the victim’s full name in a “LastName_FirstName_Patronymic.zip” format, suggesting a high level of reconnaissance and personalization by the threat actors.
The attackers demonstrated considerable foresight and technical prowess by registering the malicious domain back in March 2025, a full six months prior to launching their campaign. This proactive domain registration allowed the website to build a reputation and accumulate trust, thereby increasing its chances of evading spam filters and security warnings. Further enhancing their evasion strategy, the threat actors meticulously cloned the legitimate eLibrary homepage, creating a highly convincing facade. They also implemented protective mechanisms designed to restrict repeat downloads, a move that complicates and hinders detailed security analysis by researchers.
Securelist researchers identified this latest Operation ForumTrol campaign in October 2025, just days before preparing to present their findings on the group at the Security Analyst Summit. The in-depth investigation revealed that the attackers conducted extensive research on their specific targets, tailoring each attack to the individual scholar. The malicious site even exhibited a notable level of technical sophistication by detecting non-Windows devices and instructing users to access the content from Windows computers, implying a deliberate effort to optimize the attack delivery for specific environments.
This highly targeted approach, combined with their strategic use of domain aging techniques, underscores ForumTrol’s commitment to maximizing their chances of successful infiltration and evading detection by cybersecurity defenses. The group’s continued activity and evolving tactics highlight the persistent threat posed by APTs in the current cyber threat landscape.
Infection Chain and Payload Delivery
The malicious archives delivered by Operation ForumTrol contain a shortcut file named after the intended victim. Alongside this, a hidden “.Thumbs” directory is present, populated with approximately 100 image files, predominantly named with Russian identifiers. These decoy files are strategically included to create a semblance of legitimate content and to avoid raising suspicion when the archive is opened.
Upon clicking the shortcut file, a PowerShell script is executed. This script is responsible for downloading and running a PowerShell-based payload from the attackers’ malicious server. The payload then contacts a specific URL on the e-library[.]wiki domain to retrieve a Dynamic Link Library (DLL) file. This DLL is saved to a path within the user’s local application data directory, masquerading as a legitimate system file: %localappdata%MicrosoftWindowsExplorericoncache_.dll.
To establish persistence, the malware employs a COM Hijacking technique. This involves modifying registry keys, specifically writing the path of the malicious DLL into the HKCRCLSID{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}InProcServer32 registry key. This particular persistence method is a hallmark of ForumTrol, having been observed in their previous spring attacks, indicating a consistent operational methodology.
Finally, to maintain the illusion of a legitimate process, a decoy PDF file automatically opens. This PDF typically displays a blurred plagiarism report. Meanwhile, the OLLVM-obfuscated loader, which is part of the infection chain, deploys the Tuoni framework. This commercial red teaming tool grants the attackers comprehensive remote access and control capabilities over the compromised system, enabling further malicious activities.
The ongoing success of Operation ForumTrol and their evolving tactics, particularly their focus on espionage against academic and research sectors, suggests that such targeted campaigns are likely to continue. Further analysis will be crucial to understand the full scope of their objectives and to develop more effective countermeasures against this persistent threat group.