Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor
Summary:
A now-patched zero-day vulnerability in Google Chrome (CVE-2025-2783) was exploited by the threat group TaxOff to deploy a custom backdoor named Trinper in a targeted campaign dubbed Operation ForumTroll. The attack, observed in March 2025 by Positive Technologies and first reported in the wild by Kaspersky, began with phishing emails disguised as invitations to the Primakov Readings forum. Victims who clicked on the malicious link were redirected to a fake website that leveraged a one-click Chrome exploit to bypass sandbox protections and install Trinper. This C++-based malware uses multithreading for stealth and efficiency, enabling it to record keystrokes, collect sensitive documents, and execute commands from a remote command-and-control server.
Security Officer Comments:
Further investigation revealed a broader pattern of operations by TaxOff dating back to late 2024, with consistent use of phishing emails and advanced payload delivery mechanisms like the Donut loader and, in some variants, Cobalt Strike. A related attack in October 2024 followed a nearly identical playbook, suggesting possible overlap or collaboration with another group known as Team46. This group, like TaxOff, has been linked to phishing campaigns that distribute sophisticated malware and exploit zero-day vulnerabilities, such as the DLL hijacking flaw in Yandex Browser (CVE-2024-6473). These repeated intrusions, particularly against Russian government and industrial entities, underscore TaxOff’s strategic use of zero-days and custom malware to establish long-term persistence within high-value networks.
Suggested Corrections:
Organizations should ensure browsers and other software are kept up to date with the latest security patches, especially zero-day vulnerabilities like CVE-2025-2783. Implementing advanced email filtering to block phishing attempts, training users to recognize suspicious emails, and restricting the execution of scripts and macros from unknown sources is also crucial.
Link(s):
https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html
A now-patched zero-day vulnerability in Google Chrome (CVE-2025-2783) was exploited by the threat group TaxOff to deploy a custom backdoor named Trinper in a targeted campaign dubbed Operation ForumTroll. The attack, observed in March 2025 by Positive Technologies and first reported in the wild by Kaspersky, began with phishing emails disguised as invitations to the Primakov Readings forum. Victims who clicked on the malicious link were redirected to a fake website that leveraged a one-click Chrome exploit to bypass sandbox protections and install Trinper. This C++-based malware uses multithreading for stealth and efficiency, enabling it to record keystrokes, collect sensitive documents, and execute commands from a remote command-and-control server.
Security Officer Comments:
Further investigation revealed a broader pattern of operations by TaxOff dating back to late 2024, with consistent use of phishing emails and advanced payload delivery mechanisms like the Donut loader and, in some variants, Cobalt Strike. A related attack in October 2024 followed a nearly identical playbook, suggesting possible overlap or collaboration with another group known as Team46. This group, like TaxOff, has been linked to phishing campaigns that distribute sophisticated malware and exploit zero-day vulnerabilities, such as the DLL hijacking flaw in Yandex Browser (CVE-2024-6473). These repeated intrusions, particularly against Russian government and industrial entities, underscore TaxOff’s strategic use of zero-days and custom malware to establish long-term persistence within high-value networks.
Suggested Corrections:
Organizations should ensure browsers and other software are kept up to date with the latest security patches, especially zero-day vulnerabilities like CVE-2025-2783. Implementing advanced email filtering to block phishing attempts, training users to recognize suspicious emails, and restricting the execution of scripts and macros from unknown sources is also crucial.
Link(s):
https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html