Operation ForumTrol, an advanced persistent threat group, has launched a new targeted phishing campaign against Russian political scientists and researchers.
This sophisticated operation continues the group’s pattern of cyberattacks that began in March 2025 with the exploitation of CVE-2025-2783, a zero-day vulnerability in Google Chrome.
The threat group previously deployed rare malware like the LeetAgent backdoor and Dante spyware, developed by Memento Labs.
Unlike their spring campaign that targeted organizations, this recent operation focuses on individual scholars in political science, international relations, and global economics at major Russian universities and research institutions.
The attack campaign uses carefully crafted phishing emails sent from support@e-library[.]wiki, impersonating the legitimate scientific electronic library eLibrary.
.webp "Operation ForumTrol Known for Exploiting Chrome 0-Day Attacking Users With New Phishing Campaign 2")
Recipients receive messages prompting them to download plagiarism reports through malicious links formatted as https://e-library[.]wiki/elib/wiki.php?id=.
.webp "Operation ForumTrol Known for Exploiting Chrome 0-Day Attacking Users With New Phishing Campaign 4")
Clicking these links downloads personalized archive files named with the victim’s full name in LastName_FirstName_Patronymic.zip format.
The threat actors demonstrated advanced preparation by registering the malicious domain in March 2025, six months before launching the campaign, allowing the domain to build reputation and evade spam filters.
They also cloned the legitimate eLibrary homepage and implemented protective mechanisms to restrict repeat downloads, hindering security analysis.
Securelist researchers identified this new campaign in October 2025, just days before presenting their report on ForumTrol at the Security Analyst Summit.
The investigation revealed that attackers carefully personalized their approach, researching specific targets and customizing each attack.
The malicious site even detected non-Windows devices and prompted users to access the content from Windows computers, showing the operation’s technical sophistication.
This targeted approach, combined with domain aging techniques, demonstrates the group’s commitment to evading detection and maximizing infection success rates.
Infection Chain and Payload Delivery
The malicious archives contain a shortcut file named after the victim and a .Thumbs directory with approximately 100 Russian-named image files added as decoys to avoid raising suspicion.
.webp "Operation ForumTrol Known for Exploiting Chrome 0-Day Attacking Users With New Phishing Campaign 5")
When users click the shortcut, it executes a PowerShell script that downloads and runs a PowerShell-based payload from the malicious server.
This payload contacts https://e-library[.]wiki/elib/query.php to retrieve a DLL file, which is saved to %localappdata%MicrosoftWindowsExplorericoncache_.dll.
The malware establishes persistence using COM Hijacking by writing the DLL path into the registry key HKCRCLSID{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}InProcServer32, a technique ForumTrol used in previous spring attacks.
Finally, a decoy PDF containing a blurred plagiarism report automatically opens to maintain the deception while the OLLVM-obfuscated loader deploys the Tuoni framework, a commercial red teaming tool that grants attackers remote access capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
