Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports

Introduction

In March 2025, we discovered Operation ForumTroll, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn’t stop at their spring campaign and have continued to infect targets within the Russian Federation.

Emails posing as a scientific library

In October 2025, just days before we presented our report detailing the ForumTroll APT group’s attack at the Security Analyst Summit, we detected a new targeted phishing campaign by the same group. However, while the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions.

The emails received by the victims were sent from the address support@e-library[.]wiki. The campaign purported to be from the scientific electronic library, eLibrary, whose legitimate website is elibrary.ru. The phishing emails contained a malicious link in the format: https://e-library[.]wiki/elib/wiki.php?id=<8 pseudorandom letters and digits>. Recipients were prompted to click the link to download a plagiarism report. Clicking that link triggered the download of an archive file. The filename was personalized, using the victim’s own name in the format: <LastName>_<FirstName>_<Patronymic>.zip.

A well-prepared attack

The attackers did their homework before sending out the phishing emails. The malicious domain, e-library[.]wiki, was registered back in March 2025, over six months before the email campaign started. This was likely done to build the domain’s reputation, as sending emails from a suspicious, newly registered domain is a major red flag for spam filters.

Furthermore, the attackers placed a copy of the legitimate eLibrary homepage on https://e-library[.]wiki. According to the information on the page, they accessed the legitimate website from the IP address 193.65.18[.]14 back in December 2024.

A screenshot of the malicious site elements showing the IP address and initial session date

The attackers also carefully personalized the phishing emails for their targets, specific professionals in the field. As mentioned above, the downloaded archive was named with the victim’s last name, first name, and patronymic.

Another noteworthy technique was the attacker’s effort to hinder security analysis by restricting repeat downloads. When we attempted to download the archive from the malicious site, we received a message in Russian, indicating the download link was likely for one-time use only:

The message that was displayed when we attempted to download the archive

Our investigation found that the malicious site displayed a different message if the download was attempted from a non-Windows device. In that case, it prompted the user to try again from a Windows computer.

The message that was displayed when we attempted to download the archive from a non-Windows OS

The malicious archive

The malicious archives downloaded via the email links contained the following:

• A malicious shortcut file named after the victim: <LastName>_<FirstName>_<Patronymic>.lnk;
• A .Thumbs directory containing approximately 100 image files with names in Russian. These images were not used during the infection process and were likely added to make the archives appear less suspicious to security solutions.

A portion of the .Thumbs directory contents

When the user clicked the shortcut, it ran a PowerShell script. The script’s primary purpose was to download and execute a PowerShell-based payload from a malicious server.

The script that was launched by opening the shortcut

The downloaded payload then performed the following actions:

• Contacted a URL in the format: https://e-library[.]wiki/elib/query.php?id=<8 pseudorandom letters and digits>&key=<32 hexadecimal characters> to retrieve the final payload, a DLL file.
• Saved the downloaded file to %localappdata%\Microsoft\Windows\Explorer\iconcache_<4 pseudorandom digits>.dll.
• Established persistence for the payload using COM Hijacking. This involved writing the path to the DLL file into the registry key HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32. Notably, the attackers had used that same technique in their spring attacks.
• Downloaded a decoy PDF from a URL in the format: https://e-library[.]wiki/pdf/<8 pseudorandom letters and digits>.pdf. This PDF was saved to the user’s Downloads folder with a filename in the format: <LastName>_<FirstName>_<Patronymic>.pdf and then opened automatically.

The decoy PDF contained no valuable information. It was merely a blurred report generated by a Russian plagiarism-checking system.

A screenshot of a page from the downloaded report

At the time of our investigation, the links for downloading the final payloads didn’t work. Attempting to access them returned error messages in English: “You are already blocked…” or “You have been bad ended” (sic). This likely indicates the use of a protective mechanism to prevent payloads from being downloaded more than once. Despite this, we managed to obtain and analyze the final payload.

The final payload: the Tuoni framework

The DLL file deployed to infected devices proved to be an OLLVM-obfuscated loader, which we described in our previous report on Operation ForumTroll. However, while this loader previously delivered rare implants like LeetAgent and Dante, this time the attackers opted for a better-known commercial red teaming framework: Tuoni. Portions of the Tuoni code are publicly available on GitHub. By deploying this tool, the attackers gained remote access to the victim’s device along with other capabilities for further system compromise.

As in the previous campaign, the attackers used fastly.net as C2 servers.

Conclusion

The cyberattacks carried out by the ForumTroll APT group in the spring and fall of 2025 share significant similarities. In both campaigns, infection began with targeted phishing emails, and persistence for the malicious implants was achieved with the COM Hijacking technique. The same loader was used to deploy the implants both in the spring and the fall.

Despite these similarities, the fall series of attacks cannot be considered as technically sophisticated as the spring campaign. In the spring, the ForumTroll APT group exploited zero-day vulnerabilities to infect systems. By contrast, the autumn attacks relied entirely on social engineering, counting on victims not only clicking the malicious link but also downloading the archive and launching the shortcut file. Furthermore, the malware used in the fall campaign, the Tuoni framework, is less rare.

ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022. Given this lengthy timeline, it is likely this APT group will continue to target entities and individuals of interest within these two countries. We believe that investigating ForumTroll’s potential future campaigns will allow us to shed light on shadowy malicious implants created by commercial developers – much as we did with the discovery of the Dante spyware.

Indicators of compromise

e-library[.]wiki
perf-service-clients2.global.ssl.fastly[.]net
bus-pod-tenant.global.ssl.fastly[.]net
status-portal-api.global.ssl.fastly[.]net

securelist.com/operation-forum…

CRITICAL: CVE-2025-68435 in nicotsx Zerobyte (<0.18.5) enables authentication bypass via unprotected API endpoints. Remote attackers can access backup data. Upgrade ASAP or restrict access to trusted networks. More info: https://radar.offseq.com/threat/cve-2025-68435-cwe-305-authentication-bypass-by-pr-6cbd93fb #OffSeq #Vuln #Zerobyte #InfoSec

🚨 CVE-2025-14700 (CRITICAL, CVSS 9.9) in Crafty Controller 4.6.1 enables authenticated RCE via SSTI in Webhook Template. Restrict access, monitor for suspicious activity, and prep for patches. Full details: https://radar.offseq.com/threat/cve-2025-14700-cwe-1336-improper-neutralization-of-bf9964e9 #OffSeq #CyberAlerts #SSTI #RCE

CVE-2025-40602: EITW LPE in SonicWall SMA1000 AMC.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019

This vulnerability was reported to be leveraged in combination with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. CVE-2025-23006 was remediated in build version 12.4.3-02854 (platform-hotfix) and higher versions (released on Jan 22, 2025).

Use-After-Free e V8: due vulnerabilità ad alta gravità corrette in Google Chrome

Un significativo aggiornamento di sicurezza è stato distribuito da Google per il canale stabile desktop, il quale risolve due vulnerabilità molto gravi che possono esporre gli utenti a possibili attacchi che compromettono la memoria.

Nei prossimi giorni, con la distribuzione dell’aggiornamento, gli specialisti della sicurezza raccomandano agli amministratori e agli utenti di eseguire immediatamente l’aggiornamento, al fine di ridurre i rischi legati alle vulnerabilità nel rendering del browser e nei motori JavaScript.

Le versioni aggiornate saranno la 143.0.7499.146/.147 per Windows e Mac e la 143.0.7499.146 per gli utenti Linux. Due particolari problemi, classificati come “Alta” gravità, segnalati da ricercatori esterni, vengono risolti con questo aggiornamento.

CVE-2025-14765: Use-After-Free in WebGPU

La correzione più importante risolve una vulnerabilità “Use After Free” (UAF) in WebGPU, l’API grafica di nuova generazione per il web. I bug UAF sono una classe di falle di corruzione della memoria in cui un programma continua a utilizzare un puntatore anche dopo che la memoria a cui punta è stata liberata.

Gli hacker spesso sfruttano questi errori per eseguire codice arbitrario o bloccare le applicazioni. Google ha assegnato una ricompensa di 10.000 dollari a un ricercatore anonimo per aver segnalato questa falla il 30 settembre 2025, sottolineandone la potenziale gravità.

CVE-2025-14766: Corruzione della memoria V8

La seconda patch è rivolta a V8, il motore JavaScript e WebAssembly open source ad alte prestazioni di Google. Questa falla è stata segnalata dal ricercatore di sicurezza Shaheen Fazim l’8 dicembre 2025.

La vulnerabilità , descritta come “lettura e scrittura fuori dai limiti”, consente a un aggressore di leggere o modificare la memoria al di fuori dei limiti previsti. In un contesto browser, questo può essere in genere sfruttato per uscire dalla sandbox del rendering o per divulgare informazioni sensibili.

Nonostante l’aggiornamento automatico di Chrome per numerosi utenti, la criticità di tali vulnerabilità nella sicurezza della memoria rende necessaria una verifica manuale. È fondamentale che gli amministratori di sistema, responsabili della gestione dei dispositivi aziendali, provvedano a garantire la distribuzione immediata della nuova versione su tutti gli endpoint.

L'articolo Use-After-Free e V8: due vulnerabilità ad alta gravità corrette in Google Chrome proviene da Red Hot Cyber.

Use-After-Free e V8: due vulnerabilità ad alta gravità corrette in Google Chrome

Un significativo aggiornamento di sicurezza è stato distribuito da Google per il canale stabile desktop, il quale risolve due vulnerabilità molto gravi che possono esporre gli utenti a possibili attacchi che compromettono la memoria.

Nei prossimi giorni, con la distribuzione dell’aggiornamento, gli specialisti della sicurezza raccomandano agli amministratori e agli utenti di eseguire immediatamente l’aggiornamento, al fine di ridurre i rischi legati alle vulnerabilità nel rendering del browser e nei motori JavaScript.

Le versioni aggiornate saranno la 143.0.7499.146/.147 per Windows e Mac e la 143.0.7499.146 per gli utenti Linux. Due particolari problemi, classificati come “Alta” gravità, segnalati da ricercatori esterni, vengono risolti con questo aggiornamento.

CVE-2025-14765: Use-After-Free in WebGPU

La correzione più importante risolve una vulnerabilità “Use After Free” (UAF) in WebGPU, l’API grafica di nuova generazione per il web. I bug UAF sono una classe di falle di corruzione della memoria in cui un programma continua a utilizzare un puntatore anche dopo che la memoria a cui punta è stata liberata.

Gli hacker spesso sfruttano questi errori per eseguire codice arbitrario o bloccare le applicazioni. Google ha assegnato una ricompensa di 10.000 dollari a un ricercatore anonimo per aver segnalato questa falla il 30 settembre 2025, sottolineandone la potenziale gravità.

CVE-2025-14766: Corruzione della memoria V8

La seconda patch è rivolta a V8, il motore JavaScript e WebAssembly open source ad alte prestazioni di Google. Questa falla è stata segnalata dal ricercatore di sicurezza Shaheen Fazim l’8 dicembre 2025.

La vulnerabilità , descritta come “lettura e scrittura fuori dai limiti”, consente a un aggressore di leggere o modificare la memoria al di fuori dei limiti previsti. In un contesto browser, questo può essere in genere sfruttato per uscire dalla sandbox del rendering o per divulgare informazioni sensibili.

Nonostante l’aggiornamento automatico di Chrome per numerosi utenti, la criticità di tali vulnerabilità nella sicurezza della memoria rende necessaria una verifica manuale. È fondamentale che gli amministratori di sistema, responsabili della gestione dei dispositivi aziendali, provvedano a garantire la distribuzione immediata della nuova versione su tutti gli endpoint.

L'articolo Use-After-Free e V8: due vulnerabilità ad alta gravità corrette in Google Chrome proviene da Red Hot Cyber.