The safety defect found in Google Chrome was now exploited by a dangerous actor in the form of a zero-day, which was coded Trimmer,
The attack observed by positive technologies in mid-March 2025 included the use of a sandbox escape vulgarity tracked as CVE-2015-2783 (CVSS Score: 8.3).
Google addressed the defect later that month when Kascsky reported the exploitation of-WWAL in a campaign targeting various Russian organizations.
“The initial attack vector was a phishing email consisting of a malicious link,” said security researchers Stanislav Pizov and Vladislav Lunin. “When the victim clicked on the link, it triggred one-click exploitation (CVE-2025-2783), establishing the taxoff-planned trimmer backdoor.”
The fishing email is said to be disguised as an invitation to the Primacov Reading Forum – the same greed by Kaspaski – urged users to click on a link that hosts exploitation of a fake website.
Taxoff is the name assigned to a hacking group that was first documented by the Russian Cyber Security Company as the first time the Russian Cyber Security Company was targeted by the Russian Cyber Security Company as targeting domestic government agencies using legal and finance-related fishing emails.
C ++ is written, the backdoor sufferers uses multincesses to capture the host information, record record kestrokes, collects specific extensions (.DOC, .XLS, .PPT, .RTF, and .PDF) collects files matching with.
Command-end-control (C2) instructions expanding the functionality of the implant sent from the server, allowing it to read/write files, run commands using cmd.exe, run a command, launch a reverse shell, change the directory and close themselves.
Lunin at the time said, “It provides a high level of equality to hide the backdoor while maintaining the ability to collect and exfiltrate, install additional modules and maintain communication with C2,” Lunin at that time provides a high level of equality to hide the backdoor. “
Positive technologies said that its investigation in mid -March 2025 discovered another attack in October 2024, which began with a fishing email, which was given an invitation for an international conference called “Security of the Union State in the modern world”.
There was a link in the email that was downloaded a zip archive file that had a Windows shortcut, in turn, launched a powerrashel command, which eventually served a decoy document, while a loader is responsible for launching a trimmer backdoor through an open-source donut loader. There is a variation of attacks to swap the donut loader in favor of the cobalt strike.
According to the company, the attack series, which series, shares several strategic similarities with another hacking group tracked as Team 46, enhancing the possibility that two danger activity clusters are one and the same.
Interestingly, a month before the Moscow-based telecom operator Rostlecom was claimed to be from 46 attackers, a more set of fishing emails sent by 46 attackers, alerting the recipients of the alleged maintenance last year.
These emails included a zip archive, embedding a shortcut, which launched a powerrashel command to deploy a loader that was previously used to distribute another back door in a target attack to an anonymous Russian company in the railway goods industry.
March 2024 Infiltration, detailed by Doctor Web, is notable for the fact that one of the payloads has armed the DLL kidnapping vulnerability in the Yandex browser (CVE-2024-6473, CVSS Score: 8.4), which is as zero-day to download zero-day and execute unwanted malware. It was resolved in the version 24.7.1.380 edition released in September 2024.
Researchers said, “This group takes advantage of zero-day exploits, which enables it to penetrate safe infrastructure more effectively,” the researchers said. “The group also creates and uses sophisticated malware, meaning it has a long -term strategy and intends to maintain firmness on the system compromised for an extended period.”
