Google Chrome’s current patched security flaw was exploited as zero day by a threat actor known as Taxoff to deploy backdoor code names Trimper.
The attacks observed by positive technology in mid-March 2025 included the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3).
Google addressed the flaws later that month after Kaspersky reported wild exploitation in a campaign called ForumTroll’s Operations targeting various Russian organizations.
“The first attack vector was a phishing email with malicious links,” said security researchers Stanislav Pizov and Vladislav Lunin. “When the victim clicked on the link, it triggered a one-click exploit (CVE-2025-2783), leading to the installation of the Trinper Backdoor adopted by Taxoff.”
The phishing email is said to be disguised as an invitation to the Primakov Measurement Forum (the same Lua detailed by Kaspersky).
Taxoff is the name assigned to the hacking group first documented by a Russian cybersecurity company in late November 2024.
The backdoor written in C++ utilizes multi-threading to capture victim host information, record keystrokes, collect files that match specific extensions (.doc, .xls, .ppt, .rtf, and .pdf), establish a connection with a remote server to receive commands, and exclude execution results.
Instructions sent from the Command and Control (C2) server extend the functionality of the implant, read/write files, run commands using CMD.exe, launch a reverse shell, change directories, and shut down itself.
“Multithreading provides a high degree of parallelism to hide backdoors while retaining the ability to collect and remove data, installing additional modules and maintaining communication with C2,” Lunin said at the time.
Positive Technologies said investigation into the invasion in mid-March 2025 discovered another attack dating back to October 2024. This also started with a phishing email.
The email message also included a link with a ZIP archive file downloaded with Windows shortcuts. This eventually launched a PowerShell command that provided the decoy document, removing the loader responsible for launching the Trimperbackdoor with the open source doughnut loader. The attack variation is known to replace the donut loader in favor of the cobalt strike.
According to the company, the attack chain shares several tactical similarities with another hacking group tracked as Team46, increasing the likelihood that the two threat activity clusters are the same.
Interestingly, another set of phishing emails sent by Team46 attackers a month ago from Moscow-based carrier Rostelecom, alerted recipients of a maintenance outage last year.
These emails included a ZIP archive. This was embedded with a shortcut that invoked PowerShell commands that deployed loaders previously used in attacks targeting unknown Russian companies in the railway freight industry.
The March 2024 intrusion detailed by Doctor Web is notable for downloading and running undecided malware, with the fact that one of the payloads weaponized by a DLL hijacking vulnerability in the Yandex browser (CVE-2024-6473, CVSS score: 8.4) as Zero-day. Resolved in version 24.7.1.380, released in September 2024.
“The group utilizes zero-day exploits, allowing for more effective infiltration of secure infrastructure,” the researchers said. “This group also creates and uses sophisticated malware, means that they have a long-term strategy and intend to maintain the sustainability of their compromised systems for a long period of time.”
