{"id":179,"date":"2025-12-19T09:15:28","date_gmt":"2025-12-19T09:15:28","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/operation-forumtroll-continues-russian-political-scientists-targeted-using-plagiarism-reports\/"},"modified":"2025-12-19T09:15:28","modified_gmt":"2025-12-19T09:15:28","slug":"operation-forumtroll-continues-russian-political-scientists-targeted-using-plagiarism-reports","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2025\/12\/19\/operation-forumtroll-continues-russian-political-scientists-targeted-using-plagiarism-reports\/","title":{"rendered":"Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports"},"content":{"rendered":"
\n

\"\"<\/p>\n

Introduction<\/h2>\n

In March 2025, we discovered Operation ForumTroll<\/a>, a series of sophisticated cyberattacks exploiting the CVE-2025-2783 vulnerability in Google Chrome. We previously detailed the malicious implants<\/a> used in the operation: the LeetAgent backdoor and the complex spyware Dante, developed by Memento Labs (formerly Hacking Team). However, the attackers behind this operation didn\u2019t stop at their spring campaign and have continued to infect targets within the Russian Federation.<\/p>\n

Emails posing as a scientific library<\/h2>\n

In October 2025, just days before we presented our report detailing the ForumTroll APT group\u2019s attack at the Security Analyst Summit<\/a>, we detected a new targeted phishing campaign by the same group. However, while the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions.<\/p>\n

The emails received by the victims were sent from the address support@e-library[.]wiki<\/code>. The campaign purported to be from the scientific electronic library, eLibrary, whose legitimate website is elibrary.ru<\/code>. The phishing emails contained a malicious link in the format: https:\/\/e-library[.]wiki\/elib\/wiki.php?id=<8 pseudorandom letters and digits><\/code>. Recipients were prompted to click the link to download a plagiarism report. Clicking that link triggered the download of an archive file. The filename was personalized, using the victim\u2019s own name in the format: <LastName>_<FirstName>_<Patronymic>.zip<\/code>.<\/p>\n

A well-prepared attack<\/h2>\n

The attackers did their homework before sending out the phishing emails. The malicious domain, e-library[.]wiki<\/code>, was registered back in March 2025, over six months before the email campaign started. This was likely done to build the domain\u2019s reputation, as sending emails from a suspicious, newly registered domain is a major red flag for spam filters.<\/p>\n

Furthermore, the attackers placed a copy of the legitimate eLibrary homepage on https:\/\/e-library[.]wiki<\/code>. According to the information on the page, they accessed the legitimate website from the IP address 193.65.18[.]14<\/code> back in December 2024.<\/p>\n

\"A<\/a><\/p>\n

A screenshot of the malicious site elements showing the IP address and initial session date<\/p>\n<\/div>\n

The attackers also carefully personalized the phishing emails for their targets, specific professionals in the field. As mentioned above, the downloaded archive was named with the victim\u2019s last name, first name, and patronymic.<\/p>\n

Another noteworthy technique was the attacker\u2019s effort to hinder security analysis by restricting repeat downloads. When we attempted to download the archive from the malicious site, we received a message in Russian, indicating the download link was likely for one-time use only:<\/p>\n

\"The<\/a><\/p>\n

The message that was displayed when we attempted to download the archive<\/p>\n<\/div>\n

Our investigation found that the malicious site displayed a different message if the download was attempted from a non-Windows device. In that case, it prompted the user to try again from a Windows computer.<\/p>\n

\"The<\/a><\/p>\n

The message that was displayed when we attempted to download the archive from a non-Windows OS<\/p>\n<\/div>\n

The malicious archive<\/h2>\n

The malicious archives downloaded via the email links contained the following:<\/p>\n