A sophisticated cyber attack campaign that exploited a Google Chrome zero-day vulnerability in March 2025, with investigators now linking the operation to a persistent threat actor group.
The Positive Technologies Expert Security Center analyzed the attack targeting the previously unknown vulnerability, tracked as CVE-2025-2783, which enabled attackers to escape Chrome’s sandbox protections and install backdoor malware on victim systems.
The attack campaign began with carefully crafted phishing emails disguised as invitations to legitimate conferences and forums.
In the March 2025 incident, victims received emails appearing to invite them to the Primakov Readings forum, containing malicious links that triggered the Chrome zero-day exploit upon clicking.
Security researchers discovered that the malicious link led to a fake website specifically designed to host the exploit code.
The attack methodology proved highly effective due to its one-click nature, requiring minimal user interaction beyond opening the email and clicking the embedded link.
Once triggered, the exploit successfully bypassed Chrome’s security measures and installed the Trinper backdoor on compromised systems.
This sophisticated approach demonstrates the threat actors’ understanding of social engineering tactics combined with advanced exploitation techniques.
Investigation revealed that similar attacks occurred as early as October 2024, with phishing campaigns disguising invitations to an international conference titled “Security of the Union State in the modern world”.
The consistency in attack patterns suggests a well-organized and persistent threat operation targeting specific demographics through conference-themed lures.
Google Chrome Zero-Day Vulnerability
Cybersecurity investigators have attributed the Chrome zero-day attacks to the TaxOff threat group, with compelling evidence suggesting this organization operates under multiple identities.
Technical analysis revealed striking similarities between TaxOff operations and previously identified Team46 activities, leading researchers to conclude they represent the same adversary.
The attribution relies on distinctive PowerShell command structures and scripting patterns observed across multiple attack campaigns.
Researchers compared TaxOff’s March 2025 command syntax with Team46’s historical operations, finding nearly identical obfuscation techniques and URL patterns.
Both groups employed similar naming conventions for decoy documents and utilized identical User-Agent strings when downloading malicious payloads.
Further evidence emerged from infrastructure analysis, revealing both groups used syntactically similar domain names designed to mimic legitimate services.
The threat actors consistently employed domains with hyphens and references to established technology companies, suggesting a coordinated effort to evade detection through trust exploitation.
Sophisticated Capabilities
According to Report, the Chrome zero-day attacks to the TaxOff threat group, with compelling evidence suggesting this organization operates under multiple identities.
The technical sophistication of the malware delivery system indicates a well-resourced threat actor with advanced development capabilities.
The Trinper backdoor loader employs multiple encryption layers, requiring specific system conditions for successful payload decryption.
This includes verification of the target process context and utilization of the victim’s firmware UUID as a decryption key.
The malware incorporates anti-debugging measures and environmental checks to prevent analysis in security research environments.
Investigators discovered the loader uses modified ChaCha20 encryption algorithms and BLAKE2 hashing functions, demonstrating custom cryptographic implementations designed to complicate reverse engineering efforts.
Security researchers also identified auxiliary reconnaissance tools developed by the threat actors, including utilities for file enumeration, process listing, and screenshot capture.
These .NET-based tools transmit collected data through named pipes, suggesting a comprehensive post-exploitation framework designed for extended system compromise and data collection.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
