A serious security hole in Google Chrome, called CVE-2025-2783, was recently exploited by a hacking group named TaxOff to quietly install a backdoor malware known as Trinper. This flaw, which Google patched after it was found being actively exploited, let attackers break out of Chrome’s sandbox and take control of victims’ machines.
The attack is initiated with a phishing email pretending to be an invite to the Primakov Readings forum — a convincing lure. When someone clicks the link inside, the zero-day exploit is executed automatically, resulting in a silent installation of Trinper. Researchers from Positive Technologies spotted this in March 2025, and it matches what Kaspersky called Operation ForumTroll, which targeted various Russian organizations.
Trinper itself is written in C++ and is a sophisticated backdoor. It uses multithreading, which basically means it can do several things at once — like spying on keystrokes, grabbing files with extensions like .doc or .pdf, and sending all that info back to the hackers’ control servers. It can also run commands, open reverse shells, and even shut itself down when needed.
Interestingly, this wasn’t the first time TaxOff used these kinds of tactics. Back in October 2024, they sent another phishing email pretending to invite people to a conference called “Security of the Union State in the modern world.” That email came with a ZIP file holding a Windows shortcut. Once opened, it launched a PowerShell script that dropped the Trinper backdoor. At first, the malware used the Donut loader to sneak in, but later versions swapped it for Cobalt Strike, a popular hacking tool.
Security analysts have also noticed that TaxOff’s methods look a lot like those used by another group called Team46. For example, Team46 sent phishing emails impersonating the Russian telecom company Rostelecom, warning about fake outages and delivering malware in a similar way.
Going even further back, in March 2024, there was a related hack on a Russian rail company. Attackers exploited a zero-day flaw in Yandex Browser (CVE-2024-6473) to run malicious code through DLL hijacking. That bug was patched months later, in September.
Experts say groups like TaxOff and Team46 are really skilled. They use zero-day and custom malware to slip past defenses and stay hidden for a long time, demonstrating their long-term strategic intent.
