ForumTrol Operation Uses Chrome Zero-Day in Fresh Phishing Attacks

The ForumTroll APT group has re-emerged with a highly sophisticated phishing campaign aimed at Russian academics, marking a significant escalation in their ongoing operations against entities in Russia and Belarus.

Initially known for exploiting the zero-day vulnerability CVE-2025-2783 in Google Chrome, the group’s latest campaign relies on advanced social engineering tactics and commercial red teaming frameworks to compromise high-value targets.

Kaspersky GReAT researchers discovered the new campaign in October 2025, just days before presenting their findings at the Security Analyst Summit.

The phishing emails masqueraded as eLibrary, a legitimate scientific electronic library widely used by Russian academics, targeting scholars specializing in political science, international relations, and global economics at major Russian universities and research institutions.

What sets this campaign apart is the meticulous preparation exhibited by the threat actors.

The malicious domain e-library[.]wiki was registered in March 2025, over six months before the phishing emails were sent, as a deliberate strategy to establish domain reputation and evade email spam filters.

The attackers even hosted a replica of the legitimate eLibrary homepage, demonstrating extensive reconnaissance of their targets’ typical workflows and trusted resources.

The personalization evident throughout the campaign further underscores ForumTroll’s operational discipline.

Phishing emails were customized for individual victims, with downloaded archives bearing recipients’ names in the format LastName_FirstName_Patronymic, creating a veneer of legitimacy that would likely bypass initial security scrutiny.

Technical Sophistication

The malicious archives deployed in this campaign contained carefully crafted infection chains designed to obstruct security analysis.

A malicious shortcut file, named after each victim, triggered a PowerShell script that downloaded a payload from the attacker’s infrastructure.

Notably, the attackers implemented anti-analysis protections restricting downloads to Windows-only environments and preventing repeated file downloads, suggesting awareness of security researchers’ typical analysis methodologies.

The infection process established persistence through COM Hijacking, a technique replicating ForumTroll’s spring 2025 campaign methodology.

The final payload, an OLLVM-obfuscated loader, deployed the Tuoni framework, a publicly available red teaming tool that provided remote access and extensive system compromise capabilities.

While ForumTroll’s spring campaign exploited zero-day vulnerabilities for system compromise, the autumn attacks represent a tactical pivot toward social engineering.

This shift reflects a calculated approach: rather than relying on sophisticated exploit chains, the group concentrated on manipulating trusted academic resources to drive victim engagement.

Ongoing Threat Assessment

The campaign’s use of decoy plagiarism reports and the targeted nature of communications suggest ForumTroll’s operators possess detailed intelligence about their victims’ professional activities and research interests.

This intelligence-gathering capability indicates potential support from nation-state actors or well-resourced cybercriminal organizations.

Kaspersky researchers assess that ForumTroll will likely continue targeting Russian and Belarusian entities and individuals, leveraging both zero-day exploits and sophisticated social engineering campaigns.

The group’s demonstrated operational continuity since at least 2022, combined with access to commercial spyware frameworks like Dante and red teaming tools like Tuoni, positions them as a persistent and evolving threat to sensitive targets in Eastern Europe.

Organizations should prioritize security awareness training emphasizing verification of communications from trusted platforms, while security teams should monitor for ForumTroll infrastructure indicators and implement robust email authentication mechanisms.

Related Articles

Back to top button