Chrome zero-day (CVE-2025-2783) exploited to plant ‘Trinper’ back-door

A critical bug in Google Chrome, now fixed, was weaponised earlier this year by a little-known threat group called TaxOff. The flaw, tracked as CVE-2025-2783, allowed attackers to break out of Chrome’s sandbox and install a bespoke back-door dubbed Trinper.

A slick phishing hook

Victims first received an email posing as an invitation to the Primakov Readings, a well-regarded policy forum. One click on the link whisked the user to a booby-trapped page that silently exploited the browser and pulled in Trinper.

Who are TaxOff?

Russian researchers at Positive Technologies have tracked TaxOff since late 2024. The group favours legal- and finance-themed lures and routinely reaches for brand-new vulnerabilities, suggesting solid resources and a clear espionage brief. Some techniques mirror another actor, Team46, fuelling speculation they are one and the same.

Inside the Trinper malware

Written in C++, Trinper runs multiple threads to:

record keystrokes and device details

hoover up Office and PDF files

open a reverse shell and run system commands

fetch extra payloads from a command-and-control (C2) server

This parallel design helps it stay hidden while exfiltrating data and executing orders.

Earlier clues and quick patching

An October 2024 campaign used a similar phishing route but relied on a PowerShell loader, while a March 2024 attack chain exploited a separate Yandex Browser zero-day. Google patched CVE-2025-2783 within weeks of disclosure; updating Chrome blocks the exploit.

Staying safe

Keep Chrome and other browsers fully up-to-date.

Treat unsolicited event invitations with caution.

Use endpoint protection that blocks known C2 traffic.

Enable multi-factor authentication to limit account takeover after a breach.