Cyber threats are evolving at breakneck speed, and the recent Chrome zero-day attack orchestrated by the TaxOff group is a striking example.
This incident demonstrates how swiftly attackers can weaponize unknown vulnerabilities, putting even the most secure environments at risk.
A Closer Look at the Attack’s Mechanics
In March 2025, researchers uncovered a targeted campaign aimed at Russian organizations. The attackers used a convincing phishing email, disguised as an invitation to a major forum, to lure victims into clicking a malicious link.
This link triggered a one-click exploit for CVE-2025-2783, allowing silent installation of the Trinper backdoor.Google responded rapidly after being notified of the active exploit, releasing a security patch.
With a high CVSS score of 8.3, this Chrome flaw enabled attackers to break out of the browser’s sandbox and execute code with broader system privileges.
Trinper Backdoor: Stealth and Versatility
Written in C++, Trinper is designed for stealthy persistence and multi-faceted attacks. Its use of multithreading lets it run several malicious activities without detection. Some of its most notable capabilities include:
- Gathering host details and logging keystrokes
- Harvesting documents like .doc, .xls, .ppt, .rtf, and .pdf files
- Maintaining constant communication with a C2 server
- Executing remote commands, manipulating files, launching reverse shells, and self-removal
These features give attackers the power to steal sensitive data, maintain long-term access, and deploy additional malicious payloads as needed.
Patterns, Attribution, and Connections
Investigators found that TaxOff has been active since at least late 2024, primarily targeting government and institutional entities.
Their campaigns often leverage phishing emails linked to ZIP files containing shortcut files that trigger PowerShell-based malware loaders. Tools like the Donut loader and Cobalt Strike are commonly used in these attacks.
TaxOff’s tactics closely mirror those of another group, Team46, suggesting potential collaboration or shared operations.
Notably, one campaign impersonated a well-known telecom provider to target the rail freight sector, underlining the attackers’ ability to tailor their lures for maximum impact.
Zero-Day Exploits: A Growing Threat
The TaxOff campaign is emblematic of a broader shift among advanced threat actors toward exploiting zero-day flaws in popular software. For example, similar loader-based attacks have been observed using a DLL hijacking bug in Yandex Browser (CVE-2024-6473). Key trends emerging from these operations include:
- Zero-day exploits enable attackers to circumvent security before fixes are released
- Highly targeted phishing techniques and custom loaders improve the chances of infection
- Threat actors increasingly share methods and tools to maximize their reach
Staying Ahead of Evolving Threats
The exploitation of CVE-2025-2783 highlights the urgent need for rapid patching, ongoing user education, and robust detection measures. Organizations should strengthen their defenses by fostering awareness of phishing tactics and ensuring their systems remain updated. As attacker sophistication grows, a proactive, layered approach to security is essential for minimizing risk.
Source: The Hacker News
Chrome Zero-Day Attack: How TaxOff Used CVE-2025-2783 for Advanced Espionage