Analysis Summary

A serious security bug in Google Chrome was used by a hacking group called TaxOff to secretly install a backdoor named Trinper on victims' devices. This flaw, known as CVE-2025-2783, allowed attackers to break out of Chrome’s secure sandbox and take control of systems. The vulnerability had a high severity score of 8.3, and although Google fixed it in March 2025, it had already been actively used in attacks.

The attacks were first observed in mid-March 2025 by cybersecurity researchers. The hackers sent phishing emails that appeared to be invitations to a well-known event called the Primakov Readings. When victims clicked on the link in the email, they were taken to a fake website that automatically exploited the Chrome flaw to install the Trinper backdoor without any further action needed this is called a one-click exploit.

Trinper is a powerful piece of malware written in C++. It uses multithreading, which allows it to run many tasks at once without slowing down the system. This helps it stay hidden. Once installed, Trinper can gather personal data from the victim’s computer, such as usernames, passwords, and sensitive documents like Word, Excel, and PDF files. It can also record what the user types and send all this information back to the hackers using a remote server. The malware can also take further instructions, like running commands, opening a reverse shell (which gives the hacker live access), or even shutting itself down to avoid detection.

Security experts noticed that these techniques and tools were very similar to another hacker group called Team46. This raised the possibility that TaxOff and Team46 might actually be the same group operating under different names or working together.

Team46 had also sent phishing emails a month earlier, pretending to be from Rostelecom, a major telecom company. Those emails warned about fake maintenance work and included a similar ZIP file with a shortcut that delivered another backdoor, this time targeting a company in the rail freight industry.

Hackers used a bug in Yandex Browser (CVE-2024-6473, with a severity score of 8.4) to sneak in malware through DLL hijacking, a method that replaces system files to execute malicious code.

Researchers believe this hacking group is very well-organized and skilled. They use zero-day exploits (bugs that are unknown to the software vendor) and develop their own custom malware. Their goal seems to be long-term: stay inside networks, steal valuable information, and remain unnoticed for as long as possible.

Impact

• Credential Theft
• Data Theft
• Code Execution
• Cyber Espionage

Remediation

• Refer to the Security Advisory for CVE-2025-2783 and ensure that all Chrome browsers are updated to the patched version
• Avoid clicking on links in unsolicited or suspicious emails
• Use email security filters to detect and block phishing attempts
• Enable sandboxing and endpoint detection and response (EDR) tools
• Block execution of scripts and shortcuts from ZIP files by default
• Limit the use of PowerShell and scripting tools through security policies
• Monitor network traffic for unusual connections to unknown external servers
• Use behavior-based detection tools to identify backdoor activity
• Segment critical systems from the rest of the network to limit the attacker’s movement
• Implement strong access controls and limit administrative privileges
• Regularly audit system logs for abnormal process behavior and access attempts