Team46 (TaxOff) Exploits Google Chrome Zero-Day (CVE-2025-2783) in Sophisticated Phishing Campaign
Ddos 
In a major revelation, the Threat Intelligence Department of the Positive Technologies Expert Security Center (PT ESC) has attributed a sophisticated phishing and malware campaign to the APT group Team46βa group previously linked to high-profile cyberattacks under the alias TaxOff. Their latest operation involves the exploitation of a Google Chrome sandbox escape zero-day (CVE-2025-2783) and deployment of a multi-layered malware loader known as Trinper.
βThis report also provides data that suggests that TaxOff is actually the same group as Team46,β PT ESC confirms.
The campaign surfaced in March 2025, when a phishing email masquerading as an invitation to the Primakov Readings forum lured victims to a malicious website. Clicking the embedded link triggered a one-click exploit abusing CVE-2025-2783, which allowed sandbox escape and seamless malware installation.
βThe initial attack vector was a phishing emailβ¦ It triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff,β PT ESC explains.
Further analysis traced similar phishing campaigns as far back as October and September 2024, suggesting a long-running operation. One decoy email invited targets to a forum on the βSecurity of the Union State,β while another spoofed Rostelecom, Russiaβs largest digital service provider.
The payloads, hidden in cleverly obfuscated PowerShell commands, downloaded multi-layer encrypted files posing as PDFs or update executables. Execution was often triggered using LOLBins like rdpclip.exe and AdobeARM.exe.
βThe same pattern is used to name the decoy document on the victimβs computerβ¦ the Edge User-Agent is used when downloading the decoy document, and the Yandex Browser User-Agent is used when downloading the payload,β PT ESC notes.
The Trinper malware features a heavily obfuscated, multi-stage loader engineered to evade detection and run exclusively on targeted machines. Decryption keys are dynamically derived from:
- Firmware UUIDs
- Process image path names
- A modified ChaCha20 algorithm
- Custom BLAKE2b hashing
If execution occurs in a sandbox or unexpected process, the malware diverts into an infinite decryption loop, effectively stalling analysis.
βThe loader first verifies that it is being executed in the context of a specific processβ¦ If not, its execution is terminated,β the report states.
Once decrypted, the Trinper backdoor connects to mimicry domains such as:
- common-rdp-front.global.ssl.fastly.net
- fast-telemetry-api.global.ssl.fastly.net
Team46 also deploys internal reconnaissance toolsβdirlist.exe, ProcessList.exe, and ScreenShot.exeβall written in .NET and communicating through named pipes.
PT ESC’s analysis highlights strong overlaps:
- Identical PowerShell attack chains
- Similar loaders using UUID and ChaCha20
- Matching infrastructure naming conventions
βThe loader used by TaxOff is functionally identical to the Trojan.Siggen27.11306 loader used by Team46,β the researchers note, concluding: βOur study strongly suggests that Team46 and TaxOff are in fact the same APT group.β
Related Posts:
- CVE-2025-2783: Chrome Zero-Day Exploited in State-Sponsored Espionage Campaign
- Sophisticated Phishing Campaign Uses Multi-Layered Tactics to Deliver Malware
- CVE-2025-2857: New Firefox Sandbox Escape Emerges Following Active Exploitation of CVE-2025-2783
- New Report Reveals SmokeLoader’s Advanced Tactics in Taiwan Campaign
- Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
