Team46 (TaxOff) Exploits Google Chrome Zero-Day (CVE-2025-2783) in Sophisticated Phishing Campaign
Do Son 
In a major revelation, the Threat Intelligence Department of the Positive Technologies Expert Security Center (PT ESC) has attributed a sophisticated phishing and malware campaign to the APT group Team46—a group previously linked to high-profile cyberattacks under the alias TaxOff. Their latest operation involves the exploitation of a Google Chrome sandbox escape zero-day (CVE-2025-2783) and deployment of a multi-layered malware loader known as Trinper.
“This report also provides data that suggests that TaxOff is actually the same group as Team46,” PT ESC confirms.
The campaign surfaced in March 2025, when a phishing email masquerading as an invitation to the Primakov Readings forum lured victims to a malicious website. Clicking the embedded link triggered a one-click exploit abusing CVE-2025-2783, which allowed sandbox escape and seamless malware installation.
“The initial attack vector was a phishing email… It triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff,” PT ESC explains.
Further analysis traced similar phishing campaigns as far back as October and September 2024, suggesting a long-running operation. One decoy email invited targets to a forum on the “Security of the Union State,” while another spoofed Rostelecom, Russia’s largest digital service provider.
The payloads, hidden in cleverly obfuscated PowerShell commands, downloaded multi-layer encrypted files posing as PDFs or update executables. Execution was often triggered using LOLBins like rdpclip.exe and AdobeARM.exe.
“The same pattern is used to name the decoy document on the victim’s computer… the Edge User-Agent is used when downloading the decoy document, and the Yandex Browser User-Agent is used when downloading the payload,” PT ESC notes.
The Trinper malware features a heavily obfuscated, multi-stage loader engineered to evade detection and run exclusively on targeted machines. Decryption keys are dynamically derived from:
- Firmware UUIDs
- Process image path names
- A modified ChaCha20 algorithm
- Custom BLAKE2b hashing
If execution occurs in a sandbox or unexpected process, the malware diverts into an infinite decryption loop, effectively stalling analysis.
“The loader first verifies that it is being executed in the context of a specific process… If not, its execution is terminated,” the report states.
Once decrypted, the Trinper backdoor connects to mimicry domains such as:
- common-rdp-front.global.ssl.fastly.net
- fast-telemetry-api.global.ssl.fastly.net
Team46 also deploys internal reconnaissance tools—dirlist.exe, ProcessList.exe, and ScreenShot.exe—all written in .NET and communicating through named pipes.
PT ESC’s analysis highlights strong overlaps:
- Identical PowerShell attack chains
- Similar loaders using UUID and ChaCha20
- Matching infrastructure naming conventions
“The loader used by TaxOff is functionally identical to the Trojan.Siggen27.11306 loader used by Team46,” the researchers note, concluding: “Our study strongly suggests that Team46 and TaxOff are in fact the same APT group.”
Related Posts:
- CVE-2025-2783: Chrome Zero-Day Exploited in State-Sponsored Espionage Campaign
- Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
- CVE-2025-2857: New Firefox Sandbox Escape Emerges Following Active Exploitation of CVE-2025-2783
- New Report Reveals SmokeLoader’s Advanced Tactics in Taiwan Campaign
- Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
