Kaspersky reported it detected a fresh wave of phishing attacks tied to the threat actor tracked as Operation ForumTroll that targeted individuals in Russia in October 2025; security researcher Georgy Kucherin said the campaign focused on scholars in political science, international relations and global economics at major Russian universities and research institutions.
Operation ForumTroll has previously been linked to sophisticated phishing that exploited a Google Chrome zero‑day (CVE‑2025‑2783) to deliver the LeetAgent backdoor and a spyware implant called Dante, and Kaspersky said the group’s origins remain unknown.
The recent emails impersonated the Russian scientific electronic library and were sent from the address “[email protected],” a domain registered in March 2025 and used to host a copy of the legitimate elibrary.ru homepage. Kaspersky said the adversary used the older registration date to avoid detection and crafted one‑time download links that return a Russian language error on subsequent attempts or prompt users to retry on Windows only.
Targets who followed the link received a ZIP archive named in the pattern “
Kaspersky noted ForumTroll has been active against organizations and individuals in Russia and Belarus since at least 2022 and assessed the group is likely to continue targeting entities and individuals of interest within those countries; the vendor also said the identity or location of the threat actor is not known.
The disclosure coincides with a separate report that detailed activity attributed to two intrusion clusters, including a suspected Chinese cluster tracked as QuietCrabs and another group described as Thor.