Team46
TaxOff, also tracked as Team46, is a threat actor assessed in the provided content as a single adversary cluster operating under both names. The group has targeted Russian organizations, including domestic government agencies and other Russian entities, through phishing-led intrusions. Reported lures included invitations to the Primakov Readings forum, the “Security of the Union State in the modern world” conference, and Rostelecom-themed maintenance notices. The actor is linked to exploitation of Google Chrome zero-day CVE-2025-2783 in March 2025 to deploy the Trinper backdoor. The campaign, referred to in the content as Operation ForumTroll, used phishing emails with links to fake websites hosting the exploit, enabling a Chrome sandbox escape and installation of Trinper, in some reporting without further user interaction beyond the initial click. The content also links Team46/TaxOff to earlier activity involving a Yandex Browser DLL hijacking zero-day, CVE-2024-6473. Tradecraft described in the content includes phishing emails containing malicious links or ZIP archives with LNK files, PowerShell download-and-execute chains, use of decoy PDF documents, retrieval of payloads with the victim computer name passed as a query parameter, distinct User-Agent selection for decoy versus payload downloads, and DLL hijacking. In one October 2024 chain, the actor used rdpclip.exe with a replaced winsta.dll to load Trinper. The content also states the actor has used loaders such as Donut and Cobalt Strike. Trinper is described in the content as a C++ multithreaded backdoor associated with TaxOff. Reported capabilities include keystroke logging, host information collection, theft of targeted files including documents, command execution, reverse shell access, file read/write operations, directory changes, and self-termination. One reported C2 for Trinper was common-rdp-front.global.ssl.fastly.net. The group was first documented in late 2024, according to the content, and is described as using legal, finance-themed, and geopolitical phishing themes. Positive Technologies is cited as finding evidence linking TaxOff and Team46, and multiple excerpts state that Team46 and TaxOff represent the same activity cluster or a single adversary.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
3 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
A Chrome zero-day (CVE-2025-2783) got some action in March when a threaet actor named TaxOff used it to drop their Trinper backdoor.
...they previously exploited a Yandex Browser DLL hijacking vulnerability (CVE-2024-6473) in a rail freight industry attack.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Exploited Chrome zero-day CVE-2025-2783 to deploy Trinper backdoor.
Exploited zero-day vulnerabilities in browsers to target Russian organizations with backdoors.
Runs phishing-led intrusion campaigns leveraging a Chrome sandbox-escape zero-day to deploy the Trinper backdoor for stealthy persistence, data theft, and remote command execution; uses finance-themed and geopolitical lures and an operation dubbed “ForumTroll.”
Cluster targeting Russian victims with TTPs similar to TaxOff, including willingness to use/burn zero-days; potentially the same actor as TaxOff per analyst assessment in the text.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.