Operation ForumTroll resurfaces with new phishing campaign targeting Russian academics

A sophisticated phishing campaign, linked to the threat actor behind Operation ForumTroll, has re-emerged with a new focus on individuals within Russia. This latest wave of attacks, detected in October 2025, shifts from targeting organizations to specifically ensnaring academics in political science, international relations, and global economics at prominent Russian universities and research institutions, according to a recent report by The Hacker News.

The campaign begins with emails impersonating eLibrary, a Russian scientific electronic library, using a domain registered six months prior to avoid detection. The emails, sent from a spoofed address, prompt recipients to download a plagiarism report via a malicious link. This action initiates the download of a ZIP archive containing a Windows shortcut. Upon execution, the shortcut deploys a PowerShell script that downloads and installs a command-and-control framework called Tuoni, enabling remote access to the victim's device. The attackers meticulously personalize emails and archive names, using the victim's full name, to enhance the phishing ruse. Operation ForumTroll has been active since at least 2022, targeting entities in Russia and Belarus.

This renewed activity highlights the persistent and evolving nature of sophisticated phishing operations. The targeting of academic professionals suggests a strategic effort to gain access to sensitive research or intellectual property. The use of a well-established framework like Tuoni indicates a mature threat actor. The ongoing operations by groups like ForumTroll underscore the need for enhanced cybersecurity measures, particularly for academic and research institutions, and emphasize the importance of continuous vigilance against advanced persistent threats in the region.

Source: The Hacker News