The ForumTroll APT group has launched a targeted spear-phishing campaign aimed at political scientists and researchers, particularly those affiliated with Russian universities and institutions specializing in political science, international relations, and global economics. The attackers send emails from a spoofed domain (support@e-library.wiki) mimicking the legitimate Russian scientific electronic library elibrary.ru. These emails contain personalized links to purported plagiarism reports, designed to entice recipients to download an archive file. The archive includes a malicious .lnk shortcut file and a .Thumbs directory with images to evade security detection. When the victim clicks the .lnk file on a Windows machine, a PowerShell script executes, initiating a multi-stage infection. The payload installs the commercial Tuoni red team framework, which provides attackers with remote access capabilities and persistence through COM hijacking. A decoy PDF report, vaguely related to plagiarism detection, is displayed to distract the victim. The attackers also serve a near-identical copy of the legitimate e-library website to increase the email's credibility. The campaign leverages social engineering by personalizing filenames and email content with the victim's full name. The malware is currently detected and blocked by Kaspersky security products, and no known exploits are reported in the wild beyond this campaign. The attack requires user interaction (clicking the malicious link) and targets a narrow group of individuals, indicating a focused espionage or intelligence-gathering motive. The campaign demonstrates advanced evasion and persistence techniques, including COM hijacking and decoy document display, to maintain stealth and prolonged access.

For European organizations, especially academic and research institutions involved in political science, international relations, or global economics, this threat poses a significant risk of espionage and intellectual property theft. Successful compromise could lead to unauthorized remote access, data exfiltration, and manipulation of sensitive research data. The use of personalized social engineering tactics increases the likelihood of successful infection among targeted individuals. Persistent access via COM hijacking complicates detection and remediation efforts. Although the campaign currently targets Russian institutions, the tactics and malware framework could be adapted to target European researchers, potentially impacting confidentiality and integrity of sensitive political research. The attack could also undermine trust in academic communications and electronic libraries. Additionally, if attackers pivot from compromised machines, they could threaten broader organizational networks. The medium severity reflects the targeted nature and requirement for user interaction but acknowledges the potential for significant damage if successful.

European organizations should implement multi-layered defenses tailored to targeted spear-phishing threats. Specifically, deploy advanced email security gateways capable of detecting and blocking spoofed domains and malicious attachments, including .lnk files and archives with embedded scripts. Enforce strict attachment filtering policies and disable execution of PowerShell scripts from email downloads unless explicitly required and monitored. Employ endpoint detection and response (EDR) solutions with behavioral analysis to identify and quarantine suspicious activities such as COM hijacking and unauthorized remote access framework installations. Conduct targeted user awareness training for researchers and staff on recognizing spear-phishing attempts, especially those involving personalized content and academic themes like plagiarism reports. Regularly audit and restrict PowerShell usage and script execution policies on endpoints. Maintain up-to-date threat intelligence feeds to detect emerging APT tactics and indicators of compromise related to ForumTroll. Finally, implement network segmentation to limit lateral movement from compromised hosts and ensure robust incident response plans are in place to quickly isolate and remediate infections.