In a striking demonstration of the evolving complexity of cyber threats, a group known as TaxOff orchestrated an audacious cyber espionage operation, leveraging a zero-day vulnerability in Google Chrome. Identified as CVE-2025-2783, this flaw facilitated the deployment of a backdoor called Trinper, marking one of the more sophisticated cyber intrusions observed recently. The attack unfolded in mid-March 2025, targeting enterprises across Russian sectors through a deceptive phishing campaign dubbed Operation ForumTroll. This scheme entailed emails that masqueraded as invitations to the renowned Primakov Readings conference, which lured unsuspecting recipients into clicking a malicious link. Once engaged, the link triggered an exploit that enabled the surreptitious installation of the Trinper backdoor, bypassing conventional security measures in place.
A Deep Dive into the Trinper Backdoor
Developed using the C++ programming language, the Trinper backdoor stands out for its capability to perform intricate tasks within the compromised host system. Utilizing multithreading technology, it efficiently conceals its activities, making it a formidable tool for data collection and stealthy exfiltration. The backdoor meticulously extracts a variety of sensitive data, including user keystrokes, host system details, and files with specific extensions such as .doc and .pdf. Moreover, it establishes a covert communication channel with a remote server, enabling the threat operators to execute a wide range of commands remotely. These capabilities include reading and writing files, executing specific instructions on the target machine, and even opening reverse shells, which can grant complete control over an infected system.
Intriguingly, this current attack was not an isolated incident. Investigators from Positive Technologies uncovered evidence suggesting similarities with a prior cyber intrusion that occurred in October 2024. This earlier attack also capitalized on a phishing strategy, masked as an international conference invitation, which leveraged a PowerShell command to initiate the payload. In this case, the attack utilized the Donut loader to deliver both a decoy document and the Trinper backdoor, further enhancing its clandestine operation. This particular method saw variations, such as swapping the Donut loader with the Cobalt Strike toolkit, showcasing the attackers’ adaptability and advanced operational capabilities.
Possible Connections and Historic Methods
TaxOff’s tactics bear a striking resemblance to those employed by another notable threat actor, Team46. Known for their previous campaign a month prior that impersonated the telecom provider Rostelecom, Team46’s phishing emails hinted at fictitious maintenance outages, catching many in the rail freight industry off guard. By embedding a malicious ZIP file containing a backdoor, they successfully infiltrated this critical sector, demonstrating an alarming threat pattern within a short timeframe. This interconnectedness hints at a potential alignment or collaboration between TaxOff and Team46, as both entities continue to leverage sophisticated methods to breach secure networks.
The history of cyber intrusions is rife with examples of exploiting zero-day vulnerabilities, as illustrated by an incident reported by Doctor Web in March 2024. This earlier breach exploited a zero-day DLL hijacking vulnerability in Yandex Browser, identified as CVE-2024-6473, to deploy an unspecified malware strain. Although a subsequent software update in September 2024 addressed this vulnerability, the incident underscored the persistent threat that accompanies these unknown weaknesses. Attack actors like TaxOff and Team46 have refined their approaches to exploit such vulnerabilities effectively, ensuring long-term system compromise and persistence, as well as covert data extraction.
The Strategic Exploitation of Zero-Day Vulnerabilities
The Trinper backdoor, crafted using C++, excels in executing complex operations on compromised systems. Its use of multithreading allows it to discreetly gather and exfiltrate data, making it a potent tool for cyber espionage. Trinper extracts various sensitive information, such as keystrokes, system specifics, and files with extensions like .doc and .pdf. It also sets up a hidden communication link with a remote server, allowing attackers to issue commands from afar, including file manipulation, executing commands on the host computer, and opening reverse shells, thus gaining total control of infected machines.
Recent investigations by Positive Technologies linked this attack to a previous intrusion from October 2024. That attack utilized phishing, disguised as an international conference invite, employing a PowerShell command to launch the payload. The attack used the Donut loader to deliver a decoy document alongside Trinper, enhancing stealth. Variations of this method swapped Donut with the Cobalt Strike toolkit, displaying attackers’ adaptability and sophisticated techniques.
