Threats

ForumTroll Hackers Target Russian Academics in New Phishing Attack

Zero Day Wire

1 min read
ForumTroll Hackers Target Russian Academics in New Phishing Attack

Cyber-espionage group shifts tactics, using fake scientific library emails to infect individual researchers

A cyber-espionage group known as ForumTroll has launched a new phishing campaign targeting Russian academics, marking the group’s return months after exploiting a Google Chrome zero-day vulnerability earlier in 2025.

The attacks, detected in October 2025, focus on individual scholars working in political science, international relations, and global economics at major Russian universities and research institutions.

Fake eLibrary emails used as bait

Victims received emails posing as official messages from eLibrary, a popular Russian scientific database. The messages were sent from the spoofed domain e-library[.]wiki, designed to closely resemble the legitimate site elibrary.ru.

The emails urged recipients to download a plagiarism report via a personalized link. The downloaded ZIP file was named after each victim, a social engineering tactic aimed at increasing trust.

Malware hidden behind a fake report

Opening the archive triggered the execution of a malicious Windows shortcut file, which silently installed malware while displaying a decoy plagiarism report PDF. The attackers used COM hijacking to maintain persistence on infected systems.

Instead of rare custom spyware seen in earlier attacks, the campaign deployed Tuoni, a commercially available red-team framework that grants attackers remote access and post-exploitation capabilities.

ForumTroll remains active

While the new campaign relies on social engineering rather than zero-day exploits, it underscores ForumTroll’s continued activity and adaptability. The group has targeted entities and individuals in Russia and Belarus since at least 2022 and is expected to continue operations.

Indicators of compromise

  • e-library[.]wiki
  • perf-service-clients2.global.ssl.fastly[.]net
  • bus-pod-tenant.global.ssl.fastly[.]net
  • status-portal-api.global.ssl.fastly[.]net

ForumTroll Hackers Launch Phishing Attacks on Russian AcademicsRussian Researchers Targeted in New ForumTroll Cyber-Espionage Campaign ForumTroll APT Returns With Phishing Attacks Using Fake eLibrary Emails

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire