Operation ForumTrol’s New Phishing Campaign Targets Russian Scholars
Operation ForumTrol, a sophisticated advanced persistent threat (APT) group, has initiated a targeted phishing campaign against Russian political scientists and researchers. This operation continues the group’s cyberattacks that began in March 2025, notably exploiting CVE-2025-2783, a zero-day vulnerability in Google Chrome.
Previously, the group deployed rare malware such as the LeetAgent backdoor and Dante spyware, developed by Memento Labs. While earlier campaigns targeted organizations, this recent operation focuses on individual scholars in political science, international relations, and global economics at major Russian universities and research institutions.
Phishing Tactics and Execution
The attackers send meticulously crafted phishing emails from support@e-library[.]wiki, impersonating the legitimate scientific electronic library eLibrary. These emails prompt recipients to download plagiarism reports via malicious links formatted as https://e-library[.]wiki/elib/wiki.php?id=.
Clicking these links downloads personalized archive files named with the victim’s full name in LastName_FirstName_Patronymic.zip format. The threat actors demonstrated advanced preparation by registering the malicious domain in March 2025, six months before launching the campaign, allowing the domain to build reputation and evade spam filters. They also cloned the legitimate eLibrary homepage and implemented protective mechanisms to restrict repeat downloads, hindering security analysis.
Securelist researchers identified this new campaign in October 2025, just days before presenting their report on ForumTrol at the Security Analyst Summit. The investigation revealed that attackers carefully personalized their approach, researching specific targets and customizing each attack. The malicious site even detected non-Windows devices and prompted users to access the content from Windows computers, showing the operation’s technical sophistication. This targeted approach, combined with domain aging techniques, demonstrates the group’s commitment to evading detection and maximizing infection success rates.
Infection Chain and Payload Delivery
The malicious archives contain a shortcut file named after the victim and a .Thumbs directory with approximately 100 Russian-named image files added as decoys to avoid raising suspicion.
When users click the shortcut, it executes a PowerShell script that downloads and runs a PowerShell-based payload from the malicious server. This payload contacts https://e-library[.]wiki/elib/query.php to retrieve a DLL file, which is saved to %localappdata%\Microsoft\Windows\Explorer\iconcache_.dll.
The malware establishes persistence using COM Hijacking by writing the DLL path into the registry key HKCR\CLSID{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32, a technique ForumTrol used in previous spring attacks. Finally, a decoy PDF containing a blurred plagiarism report automatically opens to maintain the deception while the OLLVM-obfuscated loader deploys the payload.
