Chrome zero-day (CVE-2025-2783) exploited to plant ‘Trinper’ back-door
A critical bug in Google Chrome, now fixed, was weaponised earlier this year by a little-known threat group called TaxOff. The flaw, tracked as CVE-2025-2783, allowed attackers to break out of Chrome’s sandbox and install a bespoke back-door dubbed Trinper.
A slick phishing hook
Victims first received an email posing as an invitation to the Primakov Readings, a well-regarded policy forum. One click on the link whisked the user to a booby-trapped page that silently exploited the browser and pulled in Trinper.
Who are TaxOff?
Russian researchers at Positive Technologies have tracked TaxOff since late 2024. The group favours legal- and finance-themed lures and routinely reaches for brand-new vulnerabilities, suggesting solid resources and a clear espionage brief. Some techniques mirror another actor, Team46, fuelling speculation they are one and the same.
Inside the Trinper malware
Written in C++, Trinper runs multiple threads to:
record keystrokes and device details
hoover up Office and PDF files
open a reverse shell and run system commands
fetch extra payloads from a command-and-control (C2) server
This parallel design helps it stay hidden while exfiltrating data and executing orders.
Earlier clues and quick patching
An October 2024 campaign used a similar phishing route but relied on a PowerShell loader, while a March 2024 attack chain exploited a separate Yandex Browser zero-day. Google patched CVE-2025-2783 within weeks of disclosure; updating Chrome blocks the exploit.
Staying safe
Keep Chrome and other browsers fully up-to-date.
Treat unsolicited event invitations with caution.
Use endpoint protection that blocks known C2 traffic.
Enable multi-factor authentication to limit account takeover after a breach.