The Positive Technologies Expert Security Center Threat Intelligence (PT ESC TI) Department discovered that two known APT groups, Team46 and TaxOff, are likely to be one and the same group. The study revealed strong similarities in their tools, infrastructure, and attack tactics, including zero-day vulnerability exploitation.

The research first focused on a March 2025 attack, in which adversaries exploited a Google Chrome zero-day vulnerability (CVE-2025-2783). PT ESC TI experts attributed the attack to TaxOff. 

Further analysis of the attack revealed a number of similarities with the attacks attributed to Team46. Specifically, both hacking groups appear to use very similar attack tactics, techniques, and procedures (including the use of phishing emails and PowerShell scripts), tools (notably the Trinper loader), and infrastructure (such as domain names mimicking legitimate services). 

"Our research suggests a high probability that Team46 and TaxOff are the same group. These hackers leverage zero-day exploits, which enables them to penetrate secure infrastructures more effectively. The adversaries also create and use sophisticated malware, implying that they have far-reaching plans," notes Stanislav Pyzhov, Lead Specialist of the PT ESC TI Department's Sophisticated Threat Research Group. 

Team46 has been spotted in attacks exploiting a DLL hijacking vulnerability in Yandex Browser (CVE-2024-6473), while TaxOff is known to use the Trinper backdoor. 

To detect activity associated with this APT group, Positive Technologies experts recommend thoroughly inspecting network traffic, which you can do with PT Network Attack Discovery. Another essential measure for building proactive protection is to implement a sandbox. For example, you can use PT Sandbox: it analyzes file behavior in a virtual environment and detects even complex malware, such as Trinper. Experts also emphasize the importance of continuous monitoring of cybersecurity events, which can be achieved with MaxPatrol SIEM.

The full list of indicators of compromise, including file hashes, network indicators, and Positive Technologies product verdicts, can be found in the study.