𝗙𝗼𝗿𝘂𝗺𝗧𝗿𝗼𝗹 𝗨𝘀𝗲𝘀 𝗖𝗵𝗿𝗼𝗺𝗲 𝟬-𝗗𝗮𝘆 𝗶𝗻 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻

Operation ForumTrol has launched a new phishing campaign aimed at Russian political scientists and academic researchers. The group has been active throughout 2025 and first drew major attention after exploiting a Chrome zero-day vulnerability (CVE-2025-2783).

Earlier incidents linked to ForumTrol involved rare malware families such as the LeetAgent backdoor and the Dante spyware developed by Memento Labs.

In contrast to their previous attacks on large organizations, this new activity is directed at individual experts in political science, international relations, and global economics across major universities and research institutes in Russia.

𝗖𝗵𝗿𝗼𝗺𝗲 𝟬-𝗗𝗮𝘆 𝗶𝗻 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻

The campaign uses phishing emails sent from support@e-library[.]wiki, an address crafted to mimic the legitimate scientific platform eLibrary. The attackers rely on this impersonation to make their messages look genuine and increase the chances of victims opening the malicious content.

When someone clicks the link in the phishing email, they are taken to a page that delivers a ZIP file created specifically for them. The file even uses the victim’s full name in the LastName_FirstName_Patronymic.zip format to appear legitimate.

The group behind the attack planned this well in advance. They registered the malicious domain in March 2025, long before the campaign started. This helped the domain look “normal” online and reduced the chances of it being flagged as suspicious.

To make the operation more convincing, the attackers copied the real eLibrary website and added controls that block repeated downloads. This made it harder for analysts to examine the files.

Securelist researchers discovered the campaign in October 2025, shortly before presenting their research on ForumTrol at the Security Analyst Summit.

Their analysis showed that the attackers studied each target, gathered personal details, and adjusted every message to match the individual. The website also checked a visitor’s device and asked people using non-Windows systems to switch to a Windows computer before accessing the file—another sign of the attackers’ technical precision.

These steps—personalized files, early domain registration, and careful filtering—show how much effort ForumTrol put into avoiding detection and increasing the chances of a successful infection.

The archive includes a shortcut named after the victim and a folder of random images to appear normal. Opening the shortcut runs a PowerShell script that downloads a DLL from e-library[.]wiki and saves it as iconcache_.dll.

The malware stays on the system using COM Hijacking by adding the DLL path to the InProcServer32 registry key.

To distract the user, a fake plagiarism report opens while the loader installs the Tuoni remote-access framework.