Team46 and TaxOff: two sides of the same coin

MITRE Techniques

• [T1588.005] Obtain Capabilities: Exploits – Team46 used the CVE-2025-2783 exploit for system compromise. (“Team46 used a CVE-2025-2783 exploit for system compromise”)
• [T1566.002] Phishing: Spearphishing Link – Phishing emails contained links to sites hosting exploits or loaders. (“Team46 used phishing emails containing a link to a website with CVE-2025-2783 and an archive with a malicious shortcut loader”)
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell was used to download payloads and execute scripts. (“Team46 uses PowerShell to download intermediate payloads and the main payload”)
• [T1106] Native API – Donut shellcode used for code injection. (“Team46 uses donut shellcode to download and inject code”)
• [T1204.001] User Execution: Malicious Link – Users were tricked into clicking malicious links in phishing emails. (“Team46 sends out phishing emails with a link to trick users into clicking it”)
• [T1204.002] User Execution: Malicious File – Decoy files delivered and executed backdoors. (“Team46 used decoy files to run the Trinper and Dante backdoors”)
• [T1055] Process Injection – Cobalt Strike used to inject payloads into processes. (“Team46 used Cobalt Strike to inject various malicious payloads into processes”)
• [T1027] Obfuscated Files or Information – Loaders used control flow flattening. (“Team46’s loader used control flow flattening”)
• [T1055.012] Process Injection: Process Hollowing – Trinper backdoor injects code into processes. (“Team46 used the Trinper backdoor to inject code into processes”)
• [T1070.004] Indicator Removal: File Deletion – Dante backdoor self-deletes based on registry key. (“Dante backdoor has a self-deletion feature triggered by a ‘deadline’ registry key”)
• [T1070.009] Indicator Removal: Clear Persistence – Self-deletion removes persistence registry keys. (“Self-deletion removes registry keys responsible for persistence”)
• [T1480.001] Execution Guardrails: Environmental Keying – Payload decryption is tied to system UUID. (“Loader used system UUID as a decryption key for the payload”)
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – Dante backdoor loader detects virtual environments by scanning OS logs. (“Dante backdoor loader scans OS logs for virtualization indicators”)
• [T1562.001] Impair Defenses: Disable or Modify Tools – Donut shellcode patches AMSI and other defense APIs. (“Donut shellcode patches AMSI, WLDP, and Native API exit functions”)
• [T1622] Debugger Evasion – Dante loader detects debuggers via debug registers and driver scans. (“Dante backdoor loader detects debuggers by checking debug registers”)
• [T1056.001] Input Capture: Keylogging – Trinper backdoor intercepts keystrokes. (“Trinper backdoor used to intercept keystrokes”)
• [T1057] Process Discovery – ProcessList.exe obtains running processes. (“Team46 used ProcessList.exe to obtain process lists”)
• [T1083] File and Directory Discovery – Trinper collects file system info. (“Trinper backdoor collects file system information”)
• [T1115] Clipboard Data – Trinper accesses clipboard content. (“Trinper backdoor accesses clipboard”)
• [T1071] Application Layer Protocol – Backdoors use HTTP/HTTPS for C2. (“Trinper and Dante backdoors use HTTP and HTTPS for Command and Control”)
• [T1090.004] Proxy: Domain Fronting – Domain fronting evades network detection. (“Team46 used domain fronting for Trinper C2 communication”)
• [T1132.001] Data Encoding: Standard Encoding – Base64 encoding used for data transmission. (“Trinper backdoor encodes data using Base64”)
• [T1572] Protocol Tunneling – Cobalt Strike uses HTTPS encapsulation. (“Cobalt Strike encapsulated own C2 protocol in HTTPS”)
• [T1573.001] Encrypted Channel: Symmetric Cryptography – Trinper uses AES-256 encryption. (“Trinper backdoor uses AES-256 to encrypt transmitted data”)
• [T1573.002] Encrypted Channel: Asymmetric Cryptography – Trinper and Dante use RSA encryption. (“Trinper and Dante backdoors use RSA asymmetric encryption”)
• [T1041] Exfiltration Over C2 Channel – Data exfiltrated to command and control servers. (“Trinper backdoor used to exfiltrate data over C2 channel”)