Full Report
The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown. "While the spring cyberattacks focused on organizations, the fall campaign honed in on
Analysis Summary
# Threat Actor: Operation ForumTroll Associated Actor
## Attribution & Identity
The threat actor is linked to **Operation ForumTroll**. The origins of the threat actor are presently unknown.
## Activity Summary
The actor was detected conducting a fresh set of phishing attacks in **October 2025** (Fall campaign), according to Kaspersky. This follows earlier cyberattacks in the spring that focused on organizations. The actor has been active since at least **2022**, targeting entities in Russia and Belarus.
## Tactics, Techniques & Procedures
- **Initial Access/Phishing:** Used sophisticated phishing emails impersonating the Russian scientific electronic library, eLibrary.
- **Domain Aging:** Registered the malicious domain (`support@e-library[.]wiki`) in March 2025, six months prior to the campaign launch, to appear legitimate.
- **Luring/Deception:** Hosted a copy of the legitimate eLibrary homepage (`elibrary[.]ru`) on the bogus domain.
- **Malicious Download:** Instructed targets to download a plagiarism report via a link. The link was single-use; subsequent access resulted in a Russian failure message. Links directed non-Windows platforms to try again later on a Windows machine.
- **Personalization:** Emails and the downloaded archive were carefully personalized using the victim's last name, first name, and patronymic.
- **Execution Chain:** Downloaded a ZIP archive containing a LNK file. Execution of the LNK runs a PowerShell script.
- **Payload Delivery:** The script downloads and launches a PowerShell-based payload, which then fetches a final-stage DLL from a remote server.
- **Persistence:** Achieved persistence using **COM hijacking**.
- **Decoy:** A decoy PDF document was downloaded and displayed to the victim to maintain the ruse.
- **Historical TTPs (from previous ForumTroll campaigns):** Exploitation of a then-zero-day vulnerability in Google Chrome (**CVE-2025-2783**) to deliver the LeetAgent backdoor and the Dante spyware implant.
## Targeting
- **Sectors:** Individuals within academia, specifically scholars in the fields of **political science, international relations, and global economics**.
- **Geography:** Individuals within **Russia** and historically also **Belarus**.
- **Victims:** Scholars working at major Russian **universities and research institutions**.
## Tools & Infrastructure
- **Malware Families used:**
- **Tuoni:** The final payload, functioning as a Command-and-Control (C2) and red teaming framework.
- LeetAgent backdoor (mentioned in historical context).
- Dante spyware implant (mentioned in historical context).
- **Infrastructure:**
- Malicious domain: `e-library[.]wiki` (Registered March 2025).
- C2 URLs used for fetching the final DLL.
## Implications
The actor demonstrates high levels of sophistication through domain aging, comprehensive personalization, and advanced execution techniques (PowerShell, COM hijacking) to deploy powerful C2 frameworks like Tuoni. The continued focus on Russian academic and research figures suggests ongoing intelligence collection targeting sensitive geopolitical or economic information within these spheres.
## Mitigations
- **Email Verification:** Users should carefully verify the sender address, particularly for unsolicited attachments or links, even if the domain appears similar to known entities (e.g., eLibrary).
- **LNK/PowerShell Caution:** High scrutiny on LNK files within archives and PowerShell execution chains, especially when triggered by document macros or shortcuts.
- **COM Hijacking Detection:** Monitor for unusual process injections or persistence mechanisms involving Windows COM objects.
- **Indicator Monitoring:** Monitor for network connections attempting to retrieve known Tuoni components or C2 communications.