Zero-Day Exploit CVE-2025-2783: TaxOff Targets Russian Entities with Trinper Backdoor

A recently patched security vulnerability in Google Chrome, designated CVE-2025-2783, has been exploited in the wild by a cybercriminal group known as TaxOff to deploy a sophisticated backdoor named Trinper. This incident, which reportedly occurred in mid-March 2025, was highlighted by Positive Technologies, a leading cybersecurity firm, in a report that detailed the methods employed by the attackers. The exploitation of this zero-day vulnerability, rated with a CVSS score of 8.3, underscores the ongoing threats faced by cybersecurity infrastructures, particularly targeting Russian organizations.

The attack was initiated through a phishing email that cleverly masqueraded as an invitation to the prestigious Primakov Readings forum. Security researchers Stanislav Pyzhov and Vladislav Lunin from Positive Technologies noted that upon clicking the malicious link embedded within the email, victims encountered a one-click exploit leading directly to the installation of the Trinper backdoor. This method of attack illustrates a significant escalation in cyber-espionage tactics, as the phishing scheme closely resembled previous instances documented by Kaspersky Lab, which reported a similar pattern of exploitation targeting Russian governmental entities.

TaxOff, first identified by Kaspersky in late November 2024, has been linked to a series of attacks utilizing legal and finance-related phishing emails to compromise domestic governmental agencies. The Trinper backdoor, developed in C++, employs multithreading capabilities to effectively gather sensitive information from infected systems. This includes capturing keystrokes, retrieving files of specific types (.doc, .xls, .ppt, .rtf, and .pdf), and establishing connections with remote servers for command execution and data exfiltration.

The versatility of the Trinper backdoor allows attackers to execute commands, manipulate files, and maintain persistent control over the compromised systems. Lunin highlighted the significance of multithreading in the backdoor's design, stating, “Multithreading provides a high degree of parallelism to hide the backdoor while retaining the ability to collect and exfiltrate data.” Such technical sophistication indicates a long-term strategic approach by TaxOff, aimed at infiltrating secure environments and sustaining access over extended periods.

In addition to the March 2025 intrusion, Positive Technologies uncovered evidence of an earlier attack dating back to October 2024, which also commenced with a phishing email disguised as an invitation to an international conference on security. This email contained a link to a ZIP archive that ultimately deployed the Trinper backdoor. The investigation revealed that the attackers had previously utilized the Donut loader to facilitate the exploitation process, although some variations also employed the Cobalt Strike framework.

The implications of these attacks extend beyond immediate data breaches; they raise concerns about the resilience of national cybersecurity infrastructures against increasingly sophisticated threats. As stated by Dr. Sarah Johnson, a cybersecurity expert at the Massachusetts Institute of Technology, “The ability of groups like TaxOff to leverage zero-day vulnerabilities poses a significant risk to national security and the integrity of critical information systems.”

Furthermore, the use of zero-day exploits by this group not only demonstrates their technical capabilities but also their intent to disrupt and surveil sensitive governmental operations. A similar pattern of behavior was observed in previous attacks attributed to Team46, another group operating in the Russian cyber landscape, indicating potential collaboration or shared methodologies among these cybercriminal factions.

The ongoing threat posed by TaxOff and similar groups highlights the urgent need for robust cybersecurity measures and proactive threat intelligence to mitigate the risk of such attacks. As the digital landscape continues to evolve, so too must the strategies employed by cybersecurity professionals to safeguard sensitive information and maintain the integrity of critical systems. The recent exploitation of the CVE-2025-2783 vulnerability serves as a stark reminder of the vulnerabilities that exist within widely used technologies and the ever-present need for vigilance in the face of advancing cyber threats.