A recently addressed security vulnerability in Google Chrome, identified as CVE-2025-2783, was exploited by a threat actor known as TaxOff to install a backdoor referred to as Trinper. This attack, observed in mid-March 2025 by Positive Technologies, utilized a sandbox escape vulnerability with a CVSS score of 8.3.<\/p>\n
Google rectified the flaw later in March after Kaspersky highlighted its exploitation in a campaign named Operation ForumTroll, which targeted various organizations in Russia. According to security researchers Stanislav Pyzhov and Vladislav Lunin, the initial attack vector involved a phishing email containing a malicious link. When the victim clicked this link, it initiated a one-click exploit (CVE-2025-2783), enabling the installation of the Trinper backdoor utilized by TaxOff.<\/p>\n
The phishing email was disguised as an invitation to the Primakov Readings forum, urging recipients to access a link that directed them to a fraudulent website hosting the exploit.<\/p>\n
TaxOff, identified by Kaspersky as a hacking group, was first documented in late November 2024. The group targeted domestic government agencies utilizing phishing emails related to legal and finance topics to deploy Trinper.<\/p>\n
Developed in C++, the Trinper backdoor employs multithreading techniques to gather host data, record keystrokes, collect specific file types (.doc, .xls, .ppt, .rtf, .pdf), and establish a connection to a remote server for command reception and exfiltration of execution results. The commands from the command-and-control (C2) server expand the functionality of the implant, allowing file read\/write capabilities, command execution via cmd.exe, reverse shell activation, directory changes, and self-termination.<\/p>\n
Lunin emphasized that multithreading enhances parallelism, enabling the backdoor to operate stealthily while still consolidating data collection and exfiltration, installing additional modules, and maintaining C2 communications.<\/p>\n
Further investigation into the mid-March 2025 intrusion by Positive Technologies revealed another attack dating back to October 2024, also initiated by a phishing email framed as an invitation to an international conference concerning the “Security of the Union State in the modern world.” This email contained a link that downloaded a ZIP archive, which included a Windows shortcut to launch a PowerShell command, ultimately serving a decoy document while deploying a loader responsible for initiating the Trinper backdoor using the open-source Donut loader. A variant of the attack substituting Donut with Cobalt Strike has been identified.<\/p>\n
This attack pattern exhibits tactical similarities with another hacking group known as Team46, suggesting a potential connection between the two threat clusters. Notably, a month prior, Team46 had dispatched phishing emails purporting to be from the Moscow-based telecom company Rostelecom, warning recipients of fictitious maintenance outages.<\/p>\n
These emails also contained ZIP archives that embedded shortcuts leading to PowerShell commands to deploy a previously utilized loader targeting an unnamed Russian company in the rail freight sector.<\/p>\n
The March 2024 incident, documented by Doctor Web, was notable for exploiting a DLL hijacking vulnerability in the Yandex Browser (CVE-2024-6473, CVSS score: 8.4) as a zero-day to download and execute unidentified malware, which was resolved in version 24.7.1.380 released in September 2024.<\/p>\n
Researchers indicated that this group effectively utilizes zero-day exploits, enhancing their ability to infiltrate secure infrastructures. Additionally, the complexity of the malware employed indicates a long-term strategy aimed at maintaining persistence within the compromised systems.<\/p>\n","protected":false},"excerpt":{"rendered":"
A recently addressed security vulnerability in Google Chrome, identified as CVE-2025-2783, was exploited by a threat actor known as TaxOff…<\/p>\n","protected":false},"author":1,"featured_media":2137,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[220,237,77],"class_list":["post-2136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-backdoor","tag-email","tag-phishing"],"acf":[],"yoast_head":"\n