Kaspersky’s Global Research and Analysis Team (GReAT) has identified a new wave of targeted phishing attacks by the threat actor known as ForumTroll APT, this time going after political scientists and other researchers at leading Russian universities and research institutes with fake plagiarism reports.
In October 2025, just days before Kaspersky presented its ForumTroll research at SAS 2025, Kaspersky GReAT detected a fresh campaign by the group. The newly discovered activity shifts ForumTroll’s focus from organizations to individuals, specifically political scientists, experts in international relations, and economists at major Russian academic and research institutions.
The campaign is a continuation of ForumTroll’s operations first documented in March 2025, when Kaspersky GReAT discovered and reported the Chrome vulnerability later tracked as CVE-2025-2783. At SAS 2025, the team also disclosed that this APT group used the commercial spyware Dante, which Kaspersky GReAT attributed to the Italian spyware vendor Memento Labs, the successor to Hacking Team.
In the October campaign, the attackers sent phishing emails from support@e-library[.]wiki, an address on a fake website created to look like Russia’s official academic portal, elibrary.ru. The messages invited recipients to follow a link where they were prompted to download a plagiarism report. That link delivered a ZIP file named after the targeted scholar. Inside, Kaspersky found a shortcut file designed to install malware, along with a folder of ordinary images likely added to make the archive look harmless.
When opened, the shortcut quietly ran code that contacted the attackers’ server, downloaded malware and installed it on the victim’s computer so it would run again after reboot. At the same time, it opened a blurred PDF that looked like a plagiarism report, to make the incident seem like a routine academic check and reduce suspicion.
The final piece of malware was Tuoni, a commercially available hacking tool often used in security testing. In the hands of ForumTroll, Tuoni gave the attackers remote access to victims’ devices and allowed them to carry out further actions inside the network. Kaspersky also found that the attackers had set up their online infrastructure carefully: they hosted their control servers on Fastly’s cloud network, showed different messages depending on the visitor’s operating system and appeared to limit repeated downloads to make analysis harder. The fake e-library[.]wiki website itself was a copy of the real eLibrary homepage and contained traces of work dating back to December 2024, indicating months of preparation.
“Researchers are frequent targets for advanced threat actors, particularly when their academic profiles include publicly listed contact information. Phishing emails that evoke anxiety, such as claims of plagiarism, can be especially effective in prompting quick clicks. Maintaining security software on personal devices and treating unsolicited attachments with caution are critical steps in reducing exposure to these attacks,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT.
Kaspersky’s investigation, which led to the discovery of the new APT actor ForumTroll and the return of Hacking Team–linked spyware, began with a detection by Kaspersky Next XDR Expert. Kaspersky GReAT assesses that ForumTroll has maintained long-term interest in targets in Russia and Belarus since at least 2022.
Read full research on Securelist.com.
Kaspersky recommends that researchers and academic staff:
- Treat unsolicited messages about plagiarism or ethics complaints with caution, especially when they contain links to external file-sharing or document services
- Verify such communications through known official channels (for example, the institution’s official domain or a previously used contact) before opening attachments or archives
- Keep operating systems and browsers updated to reduce exposure to zero-day exploits
- To effectively identify malicious emails, scripts and payloads, install and maintain reputable security solutions such as those from the Kaspersky Next product line. They provide real-time protection, comprehensive threat visibility, in-depth investigation and advanced response capabilities, catering to organizations of all sizes and industries.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
