A groundbreaking investigation by Positive Technologies has uncovered compelling evidence linking two notorious advanced persistent threat (APT) groups, Team46 and TaxOff, suggesting they may be operating as a single sophisticated cyber operation. The research provides detailed technical analysis of their attack patterns, infrastructure, and malware deployment methods.
Zero-Day Chrome Vulnerability Exploitation Unveils Complex Attack Pattern
The investigation stemmed from a March 2025 incident involving the exploitation of a zero-day vulnerability (CVE-2025-2783) in Google Chrome. Initially detected by Kaspersky Lab, further analysis by Positive Technologies attributed the attack to TaxOff based on distinctive technical indicators and attack methodologies.
Shared Technical Infrastructure and Attack Methodologies
Researchers identified multiple overlapping characteristics between both groups’ operations, including identical phishing techniques and the deployment of specialized tools such as PowerShell scripts and the Trinper loader malware. The investigation revealed shared infrastructure elements, particularly domain names disguised as legitimate services, establishing a clear operational connection between the groups.
Advanced Technical Indicators and Attack Specifics
The analysis uncovered sophisticated attack patterns, including the use of specific User-Agent strings (Edge browser for decoy documents and Yandex Browser for malicious payloads) and computer name transmission through query parameters. A significant technical finding involved various DLL hijacking techniques, specifically targeting vulnerabilities in Yandex Browser (CVE-2024-6473) and the Windows system component rdpclip.exe.
Sophisticated Malware Targeting Mechanisms
The investigation revealed highly sophisticated malware with unique execution requirements, designed to operate only on specifically targeted systems. The malware’s decryption key depends on specific target system parameters, demonstrating an advanced level of targeting capability and technical expertise in the attackers’ arsenal.
This revelation of connections between Team46 and TaxOff represents a significant development in understanding the evolving landscape of advanced cyber threats. The sophisticated techniques employed, including zero-day exploitation and complex malware delivery mechanisms, highlight the growing challenges in cybersecurity defense and the critical importance of continuous security monitoring and threat intelligence sharing. Organizations are advised to strengthen their security postures by implementing robust detection mechanisms and maintaining up-to-date security patches across all systems.
