The ForumTroll threat actor has launched a new phishing campaign detected in October 2025, targeting Russian scholars specializing in political science, international relations, and global economics at major Russian universities and research institutions. The attackers impersonate the Russian scientific electronic library eLibrary by registering a similar domain (e-library.wiki) six months prior to the campaign to avoid suspicion. They send personalized phishing emails from this domain, instructing recipients to download a plagiarism report via a one-time-use link. The downloaded ZIP archive is named with the victim's full name and contains a Windows shortcut (LNK) file that executes a PowerShell script. This script downloads and launches a PowerShell-based payload from a remote server, which then fetches a final-stage DLL payload. The DLL is persisted on the victim’s system using COM hijacking, a technique that hijacks Component Object Model registrations to maintain persistence stealthily. The payload, known as Tuoni, is a command-and-control and red teaming framework that provides remote access to the infected Windows device. The attackers also display a decoy PDF to avoid suspicion. This campaign follows earlier ForumTroll attacks that exploited a zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and Dante spyware implants. The current campaign focuses on individuals rather than organizations and demonstrates careful operational security, including domain aging and personalized targeting. The threat actor's origins remain unknown, but the group has been active since at least 2022, primarily targeting Russia and Belarus. The campaign's sophistication and targeting of academia suggest a strategic intelligence-gathering motive. Additionally, the report references other threat groups active in the region, such as QuietCrabs and Thor, which employ different tactics including ransomware and web shells, highlighting a complex threat landscape.

For European organizations, particularly academic and research institutions with collaborations or connections to Russian scholars or institutions, this campaign poses a significant risk of espionage and intellectual property theft. The use of personalized phishing emails and sophisticated persistence mechanisms like COM hijacking increases the likelihood of successful compromise. Once infected, attackers gain remote access to victim machines, enabling data exfiltration, surveillance, and potential lateral movement within networks. The targeting of political science and international relations scholars could lead to the compromise of sensitive research and policy-related information. Although the campaign currently focuses on Russian and Belarusian targets, European entities with overlapping research interests or partnerships could be targeted in future iterations or related campaigns. The attack also demonstrates advanced social engineering and operational security, complicating detection and response efforts. The medium severity reflects the targeted nature and complexity, but the potential for significant confidentiality breaches and espionage impact is notable.

European organizations should implement targeted user awareness training emphasizing the risks of spear-phishing, especially emails purporting to come from trusted academic or scientific sources. Monitoring for suspicious domains mimicking legitimate institutions (e.g., domain lookalikes) should be integrated into threat intelligence and email security solutions. Endpoint detection and response (EDR) tools must be tuned to detect unusual PowerShell activity, especially scripts launched via LNK files, and persistence techniques such as COM hijacking. Network monitoring should focus on detecting anomalous outbound connections to unknown command-and-control servers. Implement application whitelisting to restrict execution of unauthorized scripts and binaries. Multi-factor authentication (MFA) should be enforced on all remote access points to limit attacker lateral movement post-compromise. Incident response plans should include procedures for rapid containment and forensic analysis of phishing incidents. Collaboration with national cybersecurity centers and sharing of threat intelligence related to ForumTroll and similar APT groups will enhance preparedness. Finally, organizations should verify the authenticity of emails requesting downloads or sensitive actions by direct communication with the purported sender.