Trinper
Trinper is a backdoor associated with the TaxOff threat actor, with reporting also linking TaxOff and Team46 as likely the same activity cluster. It was deployed in campaigns targeting Russian organizations, including government and critical infrastructure entities, and was observed in attacks from at least October 2024 through March 2025. A prominent delivery chain used phishing emails themed as invitations to high-profile events such as the Primakov Readings forum, leading victims to malicious sites that exploited the Google Chrome zero-day CVE-2025-2783 to install Trinper without further user interaction. Earlier campaigns also used ZIP/LNK-to-PowerShell infection chains and DLL hijacking, including abuse of rdpclip.exe by replacing winsta.dll, which served as a loader for the Trinper backdoor. Trinper is described as a multithreaded C++ backdoor capable of capturing host information, logging keystrokes, collecting targeted files including .doc, .xls, .ppt, .rtf, and .pdf, and communicating with a command-and-control server for tasking. Reported operator commands include reading and writing files, executing commands, launching a reverse shell, changing directories, extending capabilities, and self-termination. Open-source loaders such as Donut and Cobalt Strike were also reported in related intrusion chains. A reported C2 associated with Trinper is common-rdp-front.global.ssl.fastly.net.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
A recently-patched Google Chrome flaw was exploited in March by a threat actor known as TaxOff... exploited a sandbox escape flaw (CVE-2025-2783) to bypass Chrome’s defenses... | A recently-patched Google Chrome flaw was exploited in March by a threat actor known as TaxOff, who used it to slip a stealthy backdoor called “Trinper” onto targeted systems.
"A Chrome zero-day (CVE-2025-2783) got some action in March when a threat actor named TaxOff used it to drop their Trinper backdoor."
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...launched by the Team46 advanced persistent threat operation, also known as TaxOff, to spread the Trinper malware... allow subsequent Trinper backdoor installation without any user interaction...
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor deployed after exploitation of a Chrome zero-day (CVE-2025-2783) by the TaxOff threat actor.
Trinper is a backdoor deployed via exploitation of browser zero-day vulnerabilities, used for persistent access and control over targeted systems.
Multithreaded C++ backdoor deployed via a Chrome zero-day exploit chain; capabilities described include keylogging, targeted file collection, and command-and-control tasking.
Stealthy C++ backdoor deployed via a Chrome sandbox escape (CVE-2025-2783) following phishing; performs keylogging, file collection, data exfiltration, and supports C2 command execution including reverse shell capability.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.