Trinper Backdoor Abused Chrome Zero-Day in Espionage Campaign
TaxOff Group Exploited Chrome Flaw Before Patch Rolled Out
▼ Summary
– **Critical Chrome zero-day (CVE-2025-2783)** exploited by threat actor TaxOff to deploy Trinper malware in targeted cyber-espionage attacks.
– **Phishing emails with malicious ZIP archives** delivered an HTML Application (.hta) that executed a JavaScript chain, ultimately installing Trinper.
– **Trinper is a modular backdoor** with capabilities like clipboard theft, system enumeration, and HTTPS communication with attacker-controlled servers.
– **The flaw was a type confusion vulnerability** in Chrome’s V8 JavaScript engine, patched in version 134.0.6998.177 on March 26, 2025.
– **Kaspersky linked the campaign to state-sponsored actors**, noting tightly scoped infections targeting government and diplomatic networks.
A critical Chrome zero-day, tracked as CVE-2025-2783, was exploited in the wild earlier this year by a threat actor known as TaxOff. Their objective: deploy a custom malware backdoor called Trinper, now linked to targeted cyber-espionage operations across government and diplomatic networks.
First uncovered by researchers at Kaspersky, the campaign began with phishing emails laced with links to ZIP archives. These archives contained an HTML Application (.hta) that launched a malicious JavaScript chain. The final payload? Trinper, a stealthy, modular backdoor with capabilities ranging from clipboard theft to full system enumeration.
The flaw at the center of the operation was a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowing for remote code execution. According to Google’s security bulletin, the bug affected all versions prior to 134.0.6998.177 and was patched as part of a routine update on March 26, 2025, weeks after attacks were already underway.
Kaspersky confirmed that TaxOff leveraged the exploit before the patch was available, qualifying this as a zero-day scenario.
A Quiet Backdoor with a Multipurpose Toolkit
What makes Trinper especially notable is its layered design. It doesn’t just install and hide, it adapts. The malware executes reconnaissance tasks, targets clipboard data (including potential cryptocurrency addresses), and communicates over HTTPS with attacker-controlled servers. Analysts believe the group behind it is state-sponsored or aligned with strategic intelligence gathering.
Kaspersky’s reverse engineering revealed:
- A PowerShell loader obfuscated via base64.
- A Trinper DLL dropped via DLL search order hijacking.
- Command-and-control capabilities allowing remote shell access and data exfiltration.
This is not a mass campaign. Based on telemetry, infections were tightly scoped, and the lure documents appeared tailored for government and political targets. The infrastructure, too, was quiet, low-traffic domains registered weeks in advance, with limited operational use.
“We’re seeing a disciplined adversary with focused targets,” said Igor Kuznetsov, principal researcher at Kaspersky. “They didn’t want noise. They wanted access.”
Chrome Updated, But the Exposure Remains
The Chrome team quietly patched CVE-2025-2783 in version 134.0.6998.177, released on March 26, without disclosing technical details immediately, a common practice for zero-days. Other Chromium-based browsers (including Microsoft Edge and Brave) issued similar patches in early April.
The vulnerability has now been added to CISA’s Known Exploited Vulnerabilities catalog, placing pressure on organizations to urgently verify browser versions across fleets. Enterprises that delay patching may still be vulnerable if the binary was downgraded or frozen for compatibility reasons.
More importantly, Trinper’s emergence reflects a shift: threat actors are going beyond single-use exploits, embedding persistent malware in workflows once considered safe. The browser has become both the entry point and the attack surface.
