A new campaign by the ForumTroll APT group

Dec. 21, 2025, 7:34 p.m.

Description

The ForumTroll APT group has launched a new targeted phishing campaign against Russian political scientists, exploiting plagiarism reports as bait. The attackers used sophisticated techniques, including a well-prepared domain and personalized emails, to deliver the Tuoni framework malware. This campaign follows their spring attacks, which targeted organizations using zero-day vulnerabilities. The fall campaign relied on social engineering, using emails posing as a scientific library to trick victims into downloading malicious archives. The final payload was delivered through a PowerShell script and established persistence using COM Hijacking. Despite being less technically sophisticated than the spring campaign, this operation demonstrates the group's continued focus on Russian and Belarusian targets.

External References

https://securelist.com/operation-forumtroll-new-targeted-campaign/118492/
https://otx.alienvault.com/pulse/6942a78ba8a16371e6ddd3cc
Tags
apt
social engineering
powershell
com hijacking
dante
russian targets
leetagent
tuoni
2025-12-17
plagiarism bait
targeted phishing
tuoni framework

Date

  • Created: Dec. 17, 2025, 12:52 p.m.
  • Published: Dec. 17, 2025, 12:52 p.m.
  • Modified: Dec. 21, 2025, 7:34 p.m.

Indicators

  • 193.65.18.14
Download all indicators here!

Attack Patterns

  • ForumTroll

Additional Informations

  • Education
  • Government and administrations
  • e-library.wiki
  • Belarus
  • Russian Federation