Academic Ambush: How the Forum Troll APT Hijacks Scholars’ Systems via Fake Plagiarism Reports
Ddos 
A relentless Advanced Persistent Threat (APT) group known as “Forum Troll” has shifted its crosshairs from corporate networks to the academic elite, launching a precision phishing campaign against Russian political scientists and economists. A new report from Kaspersky Labs details the group’s latest activity in October 2025, revealing a tactical pivot from zero-day exploits to highly personalized social engineering.
While the group’s spring campaign made headlines for exploiting a Google Chrome vulnerability (CVE-2025-2783), their autumn offensive took a more psychological approach. The attackers impersonated eLibrary, a popular scientific electronic library, to trick scholars into downloading what they believed were plagiarism reports.
The campaign was characterized by its specific focus on high-profile individuals rather than broad organizational infrastructure.
“However, while the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions”.
Victims received emails from support@e-library[.]wiki—a spoofed domain registered months in advance to build reputation—urging them to download a report. The lure was tailored to perfection: the malicious links triggered the download of an archive named with the victim’s full name, such as <LastName>_<FirstName>_<Patronymic>.zip.
Kaspersky researchers noted the meticulous preparation behind the attack. “The attackers did their homework before sending out the phishing emails,” the report states.
The malicious archives contained a shortcut file (.lnk) disguised as a document, along with a hidden .Thumbs directory filled with nearly 100 irrelevant image files. “These images were not used during the infection process and were likely added to make the archives appear less suspicious to security solutions”.
Once the user clicked the shortcut, a PowerShell script initiated a multi-stage infection chain. It contacted a command-and-control server to retrieve a DLL payload, which was then saved to the local iconcache directory. To ensure the malware survived system reboots, the attackers employed a COM Hijacking technique, writing the path of the malicious DLL into a specific registry key.
Unlike previous campaigns that utilized custom spyware like “Dante,” this operation deployed a known commercial red-teaming tool.
“However, while this loader previously delivered rare implants like LeetAgent and Dante, this time the attackers opted for a better-known commercial red teaming framework: Tuoni”.
This framework grants the attackers remote access to the infected device, allowing them to steal sensitive research data or pivot further into university networks. To mask the intrusion, the malware automatically downloaded and opened a decoy PDF—a blurred plagiarism report—so the victim would remain unaware of the breach.
The attackers implemented strict operational security measures to hinder analysis. The malicious download links were configured for one-time use, displaying error messages to researchers attempting to access them a second time. Furthermore, the server filtered out non-Windows devices, prompting users to switch to a vulnerable machine .
Kaspersky Labs warns that Forum Troll shows no signs of stopping. “Forum Troll has been targeting organizations and individuals in Russia and Belarus since at least 2022,” the report concludes, suggesting that the group will likely continue its espionage activities against high-value targets in the region.
Donate