Beware: Russian Scholars Under Siege by Phishing Attacks Disguised as eLibrary Emails

Phishing Campaign Targeting Russian Scholars Uncovered by Kaspersky

Kaspersky, a leading cybersecurity vendor, recently discovered a new wave of phishing attacks targeting individuals in Russia. This campaign, linked to the threat actor known as Operation ForumTroll, was identified in October 2025. The attackers focused on scholars specializing in political science, international relations, and global economics at prominent Russian universities and research institutions.

Operation ForumTroll involves a series of sophisticated phishing attacks that exploit a zero-day vulnerability in Google Chrome (CVE-2025-2783) to distribute the LeetAgent backdoor and a spyware implant named Dante.

The latest attack strategy involved sending emails purportedly from eLibrary, a Russian scientific electronic library, with the sender address “support@e-library[.]wiki.” The domain was registered in March 2025, indicating premeditated planning for the phishing campaign.

To evade suspicion, the attackers aged the domain strategically and hosted a replica of the legitimate eLibrary website (“elibrary[.]ru”) on the bogus domain. The phishing emails instructed recipients to click on a link to download a plagiarism report. Upon clicking, a ZIP archive with a personalized naming pattern was downloaded to the victim’s device.

The downloaded archive contained a Windows shortcut that, when executed, initiated a PowerShell script to download and launch a PowerShell-based payload from a remote server. This payload established communication with a URL to retrieve a final-stage DLL, which was then persisted using COM hijacking. Additionally, a decoy PDF was displayed to the victim.

The ultimate payload deployed in these attacks is a command-and-control (C2) and red teaming framework known as Tuoni, enabling the threat actors to gain remote access to the victim’s Windows device.

Kaspersky highlighted that ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022, indicating a sustained focus on entities and individuals of interest in these countries.

Other Threat Activities Uncovered

Positive Technologies recently disclosed the activities of two threat clusters, QuietCrabs and Thor. QuietCrabs, suspected to be a Chinese hacking group also known as UTA0178 and UNC5221, leveraged security vulnerabilities in Microsoft SharePoint, Ivanti Endpoint Manager Mobile, Ivanti Connect Secure, and Ivanti Sentry in their attacks.

QuietCrabs utilized an ASPX web shell to deploy a JSP loader that facilitated the download and execution of KrustyLoader, ultimately dropping the Sliver implant.

On the other hand, Thor, a threat group first observed in attacks against Russian companies in 2025, deployed LockBit and Babuk ransomware, Tactical RMM, and MeshAgent as final payloads to maintain persistence.