- A threat actor linked to Operation ForumTroll initiated new phishing attacks on Russian academics in October 2025.
- Attackers used a forged domain mimicking a scientific library and delivered Malware via personalized email campaigns.
- The malware includes a PowerShell payload and the Tuoni command-and-control framework enabling remote access.
- Other threat groups such as QuietCrabs and Thor exploited recent software vulnerabilities in Microsoft SharePoint and Ivanti products.
Operation ForumTroll, active since at least 2022, has resurfaced with targeted phishing attacks against individuals in Russia. In October 2025, the group focused on scholars specializing in political science, international relations, and economics at major universities and research centers. These efforts aim to gain access to sensitive information via personalized email campaigns.
The operation exploits a previously unknown vulnerability in Google Chrome (CVE-2025-2783) to deliver advanced malware. Attackers sent emails from a domain, “support@e-library[.]wiki,” registered six months prior to the campaign. This domain impersonated the Russian scientific electronic library “eLibrary,” Hosting a fake copy of the legitimate site to lend credibility.
Emails urged recipients to click a link to download a plagiarism report. Following the link triggered a one-time download of a ZIP archive named using the victim’s full name. This archive contained a Windows shortcut (LNK) file that executed a PowerShell script. The script downloaded a payload initiating further infection steps, including fetching a final-stage DLL and establishing persistence via COM hijacking. The victim also received a decoy PDF to mask the attack.
The final payload consisted of the Tuoni framework, a command-and-control (C2) and red teaming tool that grants remote control of infected Windows machines.
Additionally, Cybersecurity researchers have identified activity from two other threat clusters active in 2025. The group QuietCrabs, linked to Chinese Hackers UTA0178 and UNC5221, exploited security flaws in Microsoft SharePoint (CVE-2025-53770) and Ivanti products like Endpoint Manager Mobile (CVE-2025-4427, CVE-2025-4428), Connect Secure (CVE-2024-21887), and Sentry (CVE-2023-38035). Their methods include deploying ASPX web shells, JSP loaders, and implants such as Sliver.
The group Thor, first noted for targeting Russian companies in 2025, employed Ransomware families LockBit and Babuk. They also used tools like Tactical RMM and MeshAgent to maintain long-term access.
This renewed wave of cyberattacks highlights persistent threats to Russian academic and corporate sectors using advanced phishing and exploitation techniques.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- XRP Price Declines 26%, Warning Signs Point to Possible $1 Drop
- Elliptic Defines Full Blockchain Coverage with 4 Key Standards
- Caroline Ellison Moves to Halfway House After 11 Months in Prison
- Securitize to Launch First Compliant Onchain Public Stock Trading
- Monero Jobs Launches; XMR Price Hits $486 in 2025 Growth Surge
