Currently, Google Chrome’s security disadvantage has been used as a zero day actor threatened as Taxoff to expand the rear code called Trins.
The attack, observed in mid-March 2025 by positive technologies, provided for the use of the vulnerability of the sandbox shoots, which will trace in the form of CVE-2025-2783 (CVSS: 8.3).
Google address Later, this month, after Caspersorski reported the operation of the company, called ForumTroll, which focuses on various Russian organizations.
“The original vector of the attack was a phishing e -mail containing a malicious connection” – Note. “When the victim clicked on the link, she caused a feat with one qualification button (CVE-2025-2783), which led to the installation of the back of Trinper used in Taxoff.”
It is said that the phishing email was disguised in the invitation to the Primakov Reading Forum – the same bait that is detailed by Kaspersky – calling users to press the link that led to a fake web -resort.
Tax – this is the name designed for Hacking Group This was first recorded by a Russian cybersecurity company in late November 2024 as a focus on domestic government bodies using legal and financial phishing sheets for Trinper delivery.
Written in C ++, Backdoor uses multiplayer information to capture the victim information, key record, file collection that corresponds to certain extensions (.doc, .xls, .PPT, and .pdf), and install a connection with a remote server and run out of the shooting results.
The instructions sent from the Command-Control (C2) server expand the implant functionality, allowing it to read/write files, run commands using cmd.exe, start the reverse shell, change directory and shutdown.
“Multiplication provides a high degree of parallelism to hide the back, keeping the data collection and expressive, install additional modules and maintain communication with C2,” Lunin said at the time.
Positive technologies said the investigation into the mid -March 2025 invasion led to the opening of another attack on October 2024, which also began with a phishing email, which is allegedly invited to an international conference called “The Security of the Union in the Modern World”.
The e -mail also contained a link that downloaded the ZIP archive file that contains Windows label, which in turn launched the PowerShell command to eventually serve the bait document, and give up the forklifts responsible for launching the posterior Donut Loader. It was found that with a variation of the attack, a donut loader in favor of a cobalt strike.
This leash is in accordance The team46Increasing the possibility that two clusters are threatening the same thing.
Interestingly, another set of phishing emails sent by the attacker Team46 a month before stated that he was from the Moscow Rostelecom telecommunications operator, which warns the recipients about the alleged maintenance mites last year.
These emails included the ZIP archive, which built the label that launched the PowerShell team to expand the loader previously used to deliver another back in an attack aimed at an unnamed Russian company in the railway industry.
Invasion of March 2024, minute According to the Internet doctor, characteristic of the fact that one of the useful loads armed DllCve-2024-6473CVSS assessment: 8.4) as a zero day to download and execute uncertain malware. It was decided Version 24.7.1.380 was released in September 2024.
“This group uses zero days, which allows it to penetrate more effectively into safe infrastructure,” the researchers said. “The group also creates and uses sophisticated malware software, keeping in mind that it has a long -term strategy and intends to maintain persistence on impaired systems over a long period.”
