TaxOff: um, you’ve got a backdoor…


In Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks on Russian government agencies.

PT ESC researchers were unable to establish any connection with known groups using the same techniques. The main goal was espionage and gaining a foothold to follow through on further attacks. They dubbed the group TaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which the researchers named Trinper after the artefact used to communicate with C2. Initial infection vector TaxOff uses phishing emails.

Read more…
Source: Positive Technologies Expert Security Center 


Sign up for our Newsletter


Related:

  • CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks

    February 4, 2025

    In September, 2024 the Zero Day Initiative (ZDI) Threat Hunting team identified the exploitation of a 7-Zip zero-day vulnerability used in a SmokeLoader malware campaign targeting Ukrainian entities. The vulnerability, CVE-2025-0411, was disclosed to 7-Zip creator Igor Pavlov, leading to the release of a patch in version 24.09 on November 30, 2024. CVE-2025-0411 allows the bypassing ...

  • Funksec Ransomware Teams Up with Another Ransomware Group to Double Down on Targets

    February 3, 2025

    FunkSec is a relatively new but highly active ransomware group that, as of this writing, has targeted several dozen victims across industries like government, banking, communications, and education. In a recent blog post, the group announced a partnership with another ransomware outfit, FSociety, aiming to carry out attacks more efficiently. This week, SonicWall Capture Labs research ...

  • Malicious packages deepseeek and deepseekai published in Python Package Index

    February 2, 2025

    As part of their research and monitoring efforts, the Supply Chain Security team of the Threat Intelligence department of the Positive Technologies Expert Security Center (PT ESC) detected and prevented a malicious campaign in the Python Package Index (PyPI) package repository. The attack targeted developers, ML engineers, and ordinary AI enthusiasts who might be interested in ...

  • Potential Backdoor Embedded in Contec Health CMS8000 Patient Monitor Firmware

    January 31, 2025

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a medical product advisory for the Contec Health CMS8000 Patient Monitor to address one critical and two high severity vulnerabilities. The Contec CMS8000 is a patient monitor used to display real-time information such as the vital signs of a patient, including temperature, heartbeat, and blood pressure. ...

  • TeamViewer Releases Security Updates for Privilege Escalation Vulnerability

    January 31, 2025

    TeamViewer has released a security advisory addressing a new vulnerability within the TeamViewer Remote Windows Clients. TeamViewer is a popular remote access and control software. CVE-2025-0065 is an ‘improper neutralization of argument delimiters in a command’ vulnerability with a CVSSv3 score of 7.8. An unprivileged attacker with local Windows access could use this flaw to elevate ...

  • One policy to rule them all

    January 31, 2025

    Windows group policies are a powerful management tool that allows administrators to define and control user and computer settings within a domain environment in a centralized manner. While group policies offer functionality and utility, they are unfortunately a prime target for attackers. In particular, attackers are increasingly using group policies to distribute malware, execute hidden scripts ...