Exploitation of Google Chrome Zero-Day Vulnerability CVE-2025-2783 by TaxOff for Trinper Backdoor Deployment

A recently addressed security vulnerability in Google Chrome, identified as CVE-2025-2783, was exploited by a threat actor known as TaxOff to install a backdoor referred to as Trinper. This attack, observed in mid-March 2025 by Positive Technologies, utilized a sandbox escape vulnerability with a CVSS score of 8.3.

Google rectified the flaw later in March after Kaspersky highlighted its exploitation in a campaign named Operation ForumTroll, which targeted various organizations in Russia. According to security researchers Stanislav Pyzhov and Vladislav Lunin, the initial attack vector involved a phishing email containing a malicious link. When the victim clicked this link, it initiated a one-click exploit (CVE-2025-2783), enabling the installation of the Trinper backdoor utilized by TaxOff.

The phishing email was disguised as an invitation to the Primakov Readings forum, urging recipients to access a link that directed them to a fraudulent website hosting the exploit.

TaxOff, identified by Kaspersky as a hacking group, was first documented in late November 2024. The group targeted domestic government agencies utilizing phishing emails related to legal and finance topics to deploy Trinper.

Developed in C++, the Trinper backdoor employs multithreading techniques to gather host data, record keystrokes, collect specific file types (.doc, .xls, .ppt, .rtf, .pdf), and establish a connection to a remote server for command reception and exfiltration of execution results. The commands from the command-and-control (C2) server expand the functionality of the implant, allowing file read/write capabilities, command execution via cmd.exe, reverse shell activation, directory changes, and self-termination.

Lunin emphasized that multithreading enhances parallelism, enabling the backdoor to operate stealthily while still consolidating data collection and exfiltration, installing additional modules, and maintaining C2 communications.

Further investigation into the mid-March 2025 intrusion by Positive Technologies revealed another attack dating back to October 2024, also initiated by a phishing email framed as an invitation to an international conference concerning the “Security of the Union State in the modern world.” This email contained a link that downloaded a ZIP archive, which included a Windows shortcut to launch a PowerShell command, ultimately serving a decoy document while deploying a loader responsible for initiating the Trinper backdoor using the open-source Donut loader. A variant of the attack substituting Donut with Cobalt Strike has been identified.

This attack pattern exhibits tactical similarities with another hacking group known as Team46, suggesting a potential connection between the two threat clusters. Notably, a month prior, Team46 had dispatched phishing emails purporting to be from the Moscow-based telecom company Rostelecom, warning recipients of fictitious maintenance outages.

These emails also contained ZIP archives that embedded shortcuts leading to PowerShell commands to deploy a previously utilized loader targeting an unnamed Russian company in the rail freight sector.

The March 2024 incident, documented by Doctor Web, was notable for exploiting a DLL hijacking vulnerability in the Yandex Browser (CVE-2024-6473, CVSS score: 8.4) as a zero-day to download and execute unidentified malware, which was resolved in version 24.7.1.380 released in September 2024.

Researchers indicated that this group effectively utilizes zero-day exploits, enhancing their ability to infiltrate secure infrastructures. Additionally, the complexity of the malware employed indicates a long-term strategy aimed at maintaining persistence within the compromised systems.