A new campaign by the ForumTroll APT group
The ForumTroll APT group has initiated a targeted phishing campaign primarily against Russian political scientists, leveraging plagiarism report-themed bait. Attackers used a carefully crafted domain and personalized emails to deliver the Tuoni malware framework. The campaign employs social engineering tactics, masquerading as a scientific library to trick victims into downloading malicious archives. The final payload is executed via PowerShell scripts and achieves persistence through COM Hijacking. Although less technically advanced than their prior spring campaign involving zero-day exploits, this operation underscores ForumTroll's ongoing focus on Russian and Belarusian targets. Indicators include the domain e-library. wiki and IP 193. 65. 18. 14.
AI Analysis
Technical Summary
ForumTroll, an advanced persistent threat (APT) group, has launched a new targeted phishing campaign against Russian political scientists, exploiting the theme of plagiarism reports to lure victims. The attackers registered and used a well-prepared domain, e-library.wiki, to impersonate a scientific library, sending personalized emails containing malicious archives. Upon execution, these archives deploy the Tuoni malware framework via PowerShell scripts, a technique that allows attackers to run code without dropping traditional executable files, thereby evading some detection methods. Persistence is established through COM Hijacking, a method where attackers manipulate Component Object Model registrations to ensure malware execution on system startup or specific triggers. This campaign follows a more sophisticated spring campaign by the same group that leveraged zero-day vulnerabilities, but the fall campaign relies heavily on social engineering and targeted phishing. The malware suite includes components such as Dante and LeetAgent, indicating modular capabilities for espionage and data exfiltration. The campaign's tactics align with MITRE ATT&CK techniques including T1566 (Phishing), T1059.001 (PowerShell), T1547.001 (COM Hijacking), and T1105 (Ingress Tool Transfer). Indicators of compromise include the IP address 193.65.18.14 and the domain e-library.wiki. No CVEs or known exploits in the wild are reported for this campaign, and the threat actor continues to focus on Russian and Belarusian targets, suggesting geopolitical motivations. The campaign's medium severity reflects the targeted nature and reliance on social engineering rather than widespread technical exploits.
Potential Impact
For European organizations, the direct impact of this campaign is limited due to its focus on Russian and Belarusian political scientists. However, European entities involved in political science, international relations, or research collaborations with Russian or Belarusian institutions could be indirectly affected, especially if targeted by similar phishing tactics or if their networks have connections to the targeted individuals. The use of sophisticated social engineering and persistence mechanisms like COM Hijacking could lead to unauthorized access, espionage, and data theft, compromising confidentiality and integrity. Additionally, the presence of PowerShell-based malware increases the risk of lateral movement within networks if initial compromise occurs. The campaign highlights the risk of targeted phishing attacks exploiting topical themes relevant to the victim's professional interests, which could be adapted against European targets in the future. Organizations with geopolitical or research interests in Eastern Europe should be particularly vigilant. The medium severity indicates a moderate risk level, emphasizing the need for awareness and targeted defenses rather than emergency patching or incident response.
Mitigation Recommendations
1. Implement advanced email filtering solutions that detect and quarantine phishing emails, especially those with suspicious attachments or links related to scientific or academic themes. 2. Conduct targeted security awareness training for employees, focusing on recognizing social engineering tactics such as personalized phishing emails exploiting topical bait like plagiarism reports. 3. Monitor and restrict PowerShell usage through application whitelisting and logging to detect anomalous script execution indicative of malware deployment. 4. Employ Endpoint Detection and Response (EDR) tools capable of identifying persistence techniques like COM Hijacking and unusual COM object registrations. 5. Regularly audit and harden COM registrations and system startup entries to prevent unauthorized modifications. 6. Block and monitor network traffic to and from known malicious domains and IP addresses, including e-library.wiki and 193.65.18.14. 7. Establish incident response playbooks tailored to phishing and PowerShell-based malware infections to enable rapid containment and remediation. 8. Collaborate with threat intelligence providers to stay updated on ForumTroll activities and indicators of compromise. 9. Limit user privileges to reduce the impact of successful phishing attacks and prevent unauthorized persistence mechanisms. 10. For organizations with ties to Russian or Belarusian research communities, implement additional scrutiny and monitoring of communications and file exchanges.
Affected Countries
Russia, Belarus, Ukraine, Estonia, Latvia, Lithuania, Poland, Germany, Finland
Indicators of Compromise
- ip: 193.65.18.14
- domain: e-library.wiki
A new campaign by the ForumTroll APT group
Description
The ForumTroll APT group has initiated a targeted phishing campaign primarily against Russian political scientists, leveraging plagiarism report-themed bait. Attackers used a carefully crafted domain and personalized emails to deliver the Tuoni malware framework. The campaign employs social engineering tactics, masquerading as a scientific library to trick victims into downloading malicious archives. The final payload is executed via PowerShell scripts and achieves persistence through COM Hijacking. Although less technically advanced than their prior spring campaign involving zero-day exploits, this operation underscores ForumTroll's ongoing focus on Russian and Belarusian targets. Indicators include the domain e-library. wiki and IP 193. 65. 18. 14.
AI-Powered Analysis
Technical Analysis
ForumTroll, an advanced persistent threat (APT) group, has launched a new targeted phishing campaign against Russian political scientists, exploiting the theme of plagiarism reports to lure victims. The attackers registered and used a well-prepared domain, e-library.wiki, to impersonate a scientific library, sending personalized emails containing malicious archives. Upon execution, these archives deploy the Tuoni malware framework via PowerShell scripts, a technique that allows attackers to run code without dropping traditional executable files, thereby evading some detection methods. Persistence is established through COM Hijacking, a method where attackers manipulate Component Object Model registrations to ensure malware execution on system startup or specific triggers. This campaign follows a more sophisticated spring campaign by the same group that leveraged zero-day vulnerabilities, but the fall campaign relies heavily on social engineering and targeted phishing. The malware suite includes components such as Dante and LeetAgent, indicating modular capabilities for espionage and data exfiltration. The campaign's tactics align with MITRE ATT&CK techniques including T1566 (Phishing), T1059.001 (PowerShell), T1547.001 (COM Hijacking), and T1105 (Ingress Tool Transfer). Indicators of compromise include the IP address 193.65.18.14 and the domain e-library.wiki. No CVEs or known exploits in the wild are reported for this campaign, and the threat actor continues to focus on Russian and Belarusian targets, suggesting geopolitical motivations. The campaign's medium severity reflects the targeted nature and reliance on social engineering rather than widespread technical exploits.
Potential Impact
For European organizations, the direct impact of this campaign is limited due to its focus on Russian and Belarusian political scientists. However, European entities involved in political science, international relations, or research collaborations with Russian or Belarusian institutions could be indirectly affected, especially if targeted by similar phishing tactics or if their networks have connections to the targeted individuals. The use of sophisticated social engineering and persistence mechanisms like COM Hijacking could lead to unauthorized access, espionage, and data theft, compromising confidentiality and integrity. Additionally, the presence of PowerShell-based malware increases the risk of lateral movement within networks if initial compromise occurs. The campaign highlights the risk of targeted phishing attacks exploiting topical themes relevant to the victim's professional interests, which could be adapted against European targets in the future. Organizations with geopolitical or research interests in Eastern Europe should be particularly vigilant. The medium severity indicates a moderate risk level, emphasizing the need for awareness and targeted defenses rather than emergency patching or incident response.
Mitigation Recommendations
1. Implement advanced email filtering solutions that detect and quarantine phishing emails, especially those with suspicious attachments or links related to scientific or academic themes. 2. Conduct targeted security awareness training for employees, focusing on recognizing social engineering tactics such as personalized phishing emails exploiting topical bait like plagiarism reports. 3. Monitor and restrict PowerShell usage through application whitelisting and logging to detect anomalous script execution indicative of malware deployment. 4. Employ Endpoint Detection and Response (EDR) tools capable of identifying persistence techniques like COM Hijacking and unusual COM object registrations. 5. Regularly audit and harden COM registrations and system startup entries to prevent unauthorized modifications. 6. Block and monitor network traffic to and from known malicious domains and IP addresses, including e-library.wiki and 193.65.18.14. 7. Establish incident response playbooks tailored to phishing and PowerShell-based malware infections to enable rapid containment and remediation. 8. Collaborate with threat intelligence providers to stay updated on ForumTroll activities and indicators of compromise. 9. Limit user privileges to reduce the impact of successful phishing attacks and prevent unauthorized persistence mechanisms. 10. For organizations with ties to Russian or Belarusian research communities, implement additional scrutiny and monitoring of communications and file exchanges.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/operation-forumtroll-new-targeted-campaign/118492/"]
- Adversary
- ForumTroll
- Pulse Id
- 6942a78ba8a16371e6ddd3cc
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip193.65.18.14 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaine-library.wiki | — |
Threat ID: 69432b79058703ef3fc51713
Added to database: 12/17/2025, 10:15:21 PM
Last enriched: 12/17/2025, 10:30:03 PM
Last updated: 12/18/2025, 12:15:26 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Parked Domains Become Weapons with Direct Search Advertising
MediumUAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager
MediumBlueDelta’s Persistent Campaign Against UKR.NET
MediumNuGet malware targets crypto wallets, OAuth tokens
MediumGachiLoader: Defeating Node.js Malware with API Tracing
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.