A zero-day vulnerability in Google Chrome (CVE-2025-2783) was exploited by the threat actor TaxOff to install a backdoor called Trinper. The campaign targeted Russian organizations and is now patched.
The attacks began in March 2025 using targeted phishing emails. Victims received a message impersonating invitations to high-profile events. Clicking the link triggered the zero-day exploit in Chrome, allowing attackers to escape the browser sandbox and install the Trinper backdoor.
Google patched CVE-2025-2783 in March after an in-the-wild exploitation was reported. Security firm Positive Technologies linked the exploit chain to the TaxOff group. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog. Researchers noted similar attacks traced back to October 2024, previously attributed to related groups.
Trinper is a multithreaded C++ backdoor that collects host data, records keystrokes, searches for documents, and maintains persistence. The malware can read and write files, run commands, launch a reverse shell, and communicate with a remote command-and-control server. Variations of the attack also used ZIP files with shortcuts launching PowerShell commands, leveraging loaders such as Donut and Cobalt Strike.
This incident demonstrates the effectiveness of leveraging zero-day browser exploits via sophisticated phishing campaigns. By exploiting a then-unknown vulnerability, attackers bypassed security controls and deployed advanced persistent backdoors for espionage.
Cybersecurity experts noted similarities with a group known as Team46, raising questions about overlap or shared resources. Previous linked incidents involved zero-day exploitation in Yandex Browser in 2024. TaxOff continues to use finance- and event-themed phishing to target government and private sector organizations in Russia.
Google users are urged to update Chrome to the latest version to reduce risk. Endpoint protection, patch management, and phishing education are still required.
A high-severity sandbox escape vulnerability in Google Chrome’s V8 JavaScript engine, exploited as a zero-day in this attack.
A stealthy backdoor written in C++, used by the TaxOff group to steal files, monitor keystrokes, and control infected machines.
Victims received targeted phishing emails with links to malicious sites. The exploit was triggered by clicking the link, with no further user action required.