The ForumTroll APT group has launched a targeted phishing campaign aimed at political scientists and researchers, especially those affiliated with Russian universities and organizations specializing in political science, international relations, and global economics. The attackers send emails from a spoofed domain (support@e-library.wiki) mimicking the legitimate Russian scientific electronic library (elibrary.ru). These emails contain personalized links to purported plagiarism reports, which entice recipients to download an archive containing a malicious .lnk file and supporting files designed to bypass security detection. When the victim clicks the .lnk file on a Windows system, it triggers a PowerShell script that initiates a multi-stage infection. This infection installs the commercial Tuoni framework, a red team toolset that provides the attackers with remote access capabilities and extensive control over the compromised system. Persistence is achieved through COM Hijacking, a technique that hijacks Component Object Model interfaces to maintain malware execution after reboot. To avoid raising suspicion, the malware displays a decoy PDF report resembling a plagiarism check, personalized with the victim’s name in the filename but containing generic content. The attackers also serve a slightly outdated but convincing copy of the legitimate e-library website to victims who visit the spoofed domain, enhancing the credibility of the phishing lure. The campaign is highly targeted and leverages social engineering tailored to the victim’s professional interests. Although no widespread exploitation or known exploits beyond this campaign have been reported, the attack demonstrates sophisticated techniques to evade detection and maintain persistence. Kaspersky security products effectively detect and block this malware. The campaign highlights the risk posed by targeted phishing attacks against academic and research personnel, especially those handling sensitive political and economic information.

For European organizations, particularly academic and research institutions involved in political science, international relations, and economics, this threat poses a significant risk of espionage and data compromise. Successful infections could lead to unauthorized remote access, enabling attackers to exfiltrate sensitive research data, intellectual property, and communications. The use of persistence mechanisms like COM Hijacking increases the difficulty of detection and removal, potentially allowing long-term surveillance and data theft. Although the campaign currently targets Russian institutions, similar tactics could be adapted against European researchers, especially those collaborating with or studying Russian political matters. The compromise of political scientists could also have broader implications for national security and policy-making, given the sensitivity of their work. Additionally, the use of personalized social engineering increases the likelihood of successful compromise, making awareness and targeted defenses critical. The medium severity rating reflects the targeted nature and potential impact on confidentiality and integrity, though the attack requires user interaction and is limited in scope.

European organizations should implement multi-layered defenses tailored to targeted phishing threats. Specific recommendations include: 1) Deploy advanced email gateway security solutions capable of detecting and blocking spoofed domains and malicious attachments before reaching end users. 2) Enforce strict domain-based message authentication, reporting, and conformance (DMARC) policies to reduce email spoofing risks. 3) Conduct targeted security awareness training for political scientists and researchers, emphasizing the risks of personalized phishing and how to verify suspicious emails and links. 4) Restrict execution of PowerShell scripts and .lnk files through application whitelisting and endpoint protection policies, especially for users with access to sensitive data. 5) Monitor for persistence techniques such as COM Hijacking by auditing COM registrations and unusual system modifications. 6) Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying and isolating red team frameworks like Tuoni. 7) Implement network segmentation to limit lateral movement if a device is compromised. 8) Encourage use of multi-factor authentication (MFA) to protect remote access points. 9) Regularly review and update incident response plans to include targeted phishing scenarios. 10) Collaborate with threat intelligence providers to stay informed about emerging APT tactics and indicators of compromise.