""While the spring cyberattacks focused on organizations, the fall campaign honed in on specific individuals: scholars in the field of political science, international relations, and global economics, working at major Russian universities and research institutions," security researcher Georgy Kucherin said. Operation ForumTroll refers to a series of sophisticated phishing attacks exploiting a then-zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver the LeetAgent backdoor and a spyware implant known as Dante."
"The domain was registered in March 2025, six months before the start of the campaign, suggesting that preparations for the attack had been underway for some time. Kaspersky said the strategic domain aging was done to avoid raising any red flags typically associated with sending emails from a freshly registered domain. In addition, the attackers also hosted a copy of the legitimate eLibrary homepage ("elibrary[.]ru") on the bogus domain to maintain the ruse."
Kaspersky detected a fresh phishing campaign in October 2025 targeting individuals within Russia. Targets included scholars in political science, international relations, and global economics at major Russian universities and research institutions. The campaign is linked to Operation ForumTroll, which exploited a then-zero-day Chrome vulnerability (CVE-2025-2783) to deliver the LeetAgent backdoor and the Dante spyware implant. Attackers sent emails impersonating eLibrary from support@e-library[.]wiki, using a domain registered in March 2025 to age the domain and host a copy of the legitimate elibrary[.]ru homepage. Emails contained one-time links to download a plagiarism report; successful clicks delivered personalized ZIP archives named <LastName>_<FirstName>_<Patronymic>.zip. The threat actor origins remain unknown.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]