New TaxOff Hacker Group Attacks Russian Government Agencies

Experts from Positive Technologies have discovered a new APT group targeting organizations in the Russian government sector. The attackers used phishing emails focused on financial and legal topics, which led to the group being named TaxOff. In their attacks, the hackers deployed the Trinper backdoor, which is capable of remaining undetected even while performing multiple tasks simultaneously.

According to researchers, in attacks identified in the third quarter of 2024, the hackers pursued two main goals: espionage and establishing a foothold in victims’ infrastructure for future attacks.

Phishing as the Initial Attack Vector

TaxOff uses phishing emails as its initial attack vector. For example, one email contained a link to Yandex Disk (with malicious content related to “1C” software), while another included a fake installer associated with special software for government employees to report income and expenses. This software is updated annually and has become a target for attackers who distribute malware disguised as updates.

Interacting with such emails led to infection with the Trinper backdoor. This malware is written in C++ and features a multithreaded architecture, allowing it to perform various actions in parallel—such as collecting and exfiltrating data, monitoring the file system for sensitive information, and maintaining communication with a command-and-control server.

Trinper Architecture

Specialists report that Trinper is built on a parallel programming paradigm known as stream parallelism. This means tasks are divided into sequential stages, each of which can be executed in parallel with others.

Experts note that Trinper has a unique configuration that allows for flexible customization. Additionally, the backdoor caches frequently used data, enabling it to perform operations faster and increase overall efficiency.

“Thanks to its multithreading and other architectural features, Trinper gives attackers persistent access to compromised systems and allows them to carry out numerous malicious actions simultaneously. At the same time, the backdoor has little impact on infrastructure performance, so it can remain undetected for a long time,” commented Vladislav Lunin, Senior Specialist in the Advanced Threat Research Group at Positive Technologies. “The combination of a high-tech malware and lures on sensitive topics makes TaxOff attacks especially dangerous and difficult to detect.”