{
	"id": "d3ad27cc-1945-43a8-9b32-b1ee754eecde",
	"created_at": "2026-04-06T00:13:33.469664Z",
	"updated_at": "2026-04-12T02:21:40.723882Z",
	"deleted_at": null,
	"sha1_hash": "9ee128098200cde713030187d1380bcaeba7f148",
	"title": "TaxOff: um, you've got a backdoor...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 721044,
	"plain_text": "TaxOff: um, you've got a backdoor...\r\nBy Positive Technologies\r\nPublished: 2024-11-28 · Archived: 2026-04-05 16:48:27 UTC\r\nTable of contents:\r\nTable of contents:\r\nTaxOff: um, you've got a backdoor...\r\nAuthor: \r\nVladislav Lunin, Senior Specialist of the Positive Technologies Expert Security Center Sophisticated Threat Research Group\r\nTakeaways:\r\n1. A new group was discovered targetting Russian government structures: TaxOff.\r\n2. TaxOff phished using legal and financial emails.\r\n3. TaxOff used the Trinper backdoor in its attacks.\r\n4. Trinper is a multithreaded backdoor written in C++ with flexible configuration using the template method as a design\r\npattern, STL containers, and a buffer cache to improve performance. It has numerous malicious capabilities.\r\nIntroduction\r\nIn Q3 2024, the Positive Technologies Expert Security Center (PT ESC) TI Department discovered a series of attacks\r\non Russian government agencies. We were unable to establish any connection with known groups using the same\r\ntechniques. The main goal was espionage and gaining a foothold to follow through on further attacks. We dubbed the group\r\nTaxOff because of their legal and finance-related phishing emails leading to a backdoor written in at least C++17, which\r\nwe named Trinper after the artifact used to communicate with C2.\r\nInitial infection vector\r\nTaxOff uses phishing emails. We found several of them, including one with a link to Yandex Disk with malicious content\r\nfor 1C and another with a fake installer for special software used by government employees to submit annual income\r\nand expense reports. This software is updated every year and targeted by attackers who distribute malware pretending\r\nto be updates.\r\nMaterials.img\r\nOne email had a link to Yandex Disk with the file Materials.img containing the following:\r\nDCIM.lnk — a shortcut used to start the Trinper backdoor\r\ndrive.google.com — the Trinper backdoor\r\nEncrypteddata — merged encrypted RAR archives with trimmed headers \r\nИстория поисков.html — a phishing form like the image below\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 1 of 20\n\nFigure 1. Phishing form\r\nSpravki BK\r\nThe other vector contained the Spravki BK software used by government employees in Russia to submit income\r\nand expense reports. This software has also been targeted by group to spread the Konni backdoor as the renamed\r\nWEXTRACT.EXE.MUI file usually responsible for extracting compressed CAB files. In our case, it contains two\r\nexecutable files instead: bk.exe (Figure 2, Spravki BK) and DotNet35.exe, the Trinper backdoor.\r\nFigure 2. Information about the bk.exe file\r\nSimilar to CAB files, the RCData resource section contains attributes of the execution sequence of the files it stores.\r\nThe first attribute, RUNPROGRAM, contains instructions to execute a specific program or command at the start\r\nand launches bk.exe.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 2 of 20\n\nFigure 3. RUNPROGRAM attribute contents\r\nThe second attribute, POSTRUNPROGRAM, contains instructions to launch the executable file after RUNPROGRAM has\r\nbeen executed. So after bk.exe is run, DotNet35.exe is launched.\r\nFigure 4. POSTRUNPROGRAM attribute contents\r\nTrinper backdoor\r\nTo improve general understanding of how the backdoor works, the sections below include an explanation of its architecture,\r\nSTL, design pattern, custom serialization, and buffer cache as a preface to its functional description.\r\nArchitecture\r\nLike any other multithreaded application, Trinper is built on a parallel programming paradigm, specifically thread\r\nparallelism. Tasks are broken down into sequential steps as shown on the diagram below, each of which can be performed\r\nin parallel with others.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 3 of 20\n\nFigure 5. Trinper's architecture\r\nOne aspect of thread parallelism is data transfer between threads using global variables that can be divided into\r\nthe following groups:\r\n1. Group 1 include a container for storing instances of the class communicating with C2 (CommHTTP_instance).\r\n2. Group 2 include a container for storing information about code injections (map_TaskInject).\r\n3. Group 3 include containers for storing running commands (vector_RunningTasks, deque_shared_RunningTasks,\r\nmap_RunningTasks).\r\n4. Group 4 include containers for storing the operation of background commands (map_shared_ptr_BgJobs,\r\ndeque_BgJobKeylogger, unordered_map_BgJobKeylogger).\r\nUse of STL\r\nThe Standard Template Library provides a set of common generic algorithms, containers, means of accessing their contents,\r\nand various functions in C++ used by the backdoor. The main sign of STL runtime is the error messages for various\r\ncontainers.\r\nFigure 6. Error strings related to STL container runtime\r\nstd::string and std::wstring\r\nStrings are objects represented as a sequence of characters. Symbols can either have ASCII or wide encoding, which makes\r\nthese containers clearly distinguishable. In std::string, the maximum length of the predefined buffer can't exceed 15 bytes,\r\notherwise a heap buffer will be allocated. As for std::wstring, the length of the predefined buffer can't exceed 7 bytes. This\r\nruntime is for comparing the length of the stored string and possible subsequent allocation of a heap buffer, which allows\r\none of the containers used to be determined precisely.\r\nFigure 7. Recognizing the std::string and std::wstring runtime\r\nstd::vector\u003cT\u003e\r\nVectors are containers for array-like sequences that can vary in size. One way to recognize the runtime of a vector\r\nis to compare successive memory addresses and then assign a new value to one of them. If the pointer to the first vector\r\nelement is equal to the pointer to the last element (for example, when adding a new element), then the vector will have\r\nto change its current size, allocate additional memory before adding it, and redefine the pointer to the last element.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 4 of 20\n\nFigure 8. Recognizing the std::vector\u003cT\u003e runtime\r\nstd::list\u003cT\u003e\r\nLists are sequence containers that allow constant-time insertion and erasure of elements anywhere in the sequence, as well\r\nas iteration in both directions. One way to recognize the runtime of a doubly linked list is to compare the selected buffer\r\nwith the subsequent one to see if the end has been reached when iterating the elements.\r\nFigure 9. Recognizing the std::list\u003cT\u003e runtime\r\nstd::map\u003cK, T\u003e\r\nMaps are associative containers that store elements formed by a combination of a key and mapped value in a specific order.\r\nOne way to recognize map runtime is that the map needs to know if there's already an element with the provided key before\r\ninserting a new key-value pair or returning a value based on the key.\r\nFigure 10. Recognizing std::map\u003cK, T\u003e runtime\r\nstd::unordered_map\u003cK, T\u003e\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 5 of 20\n\nUnordered maps are associative containers that store elements formed by a combination of a key and mapped value, which\r\nallows individual elements to be quickly found by their keys. One of the ways to recognize the runtime of an unordered map\r\nis how its elements are stored in hash tables, as the hash sum will always be calculated for any element index regardless\r\nof the operation.\r\nFigure 11. Recognizing the std::unordered_map\u003cK, T\u003e runtime\r\nstd::deque\u003cT\u003e\r\nDeques are dynamically sized sequence containers that can expand or contract at the front (head) or back (tail). One method\r\nof recognizing the runtime of a deque is to access elements in the blocks. Their size is always a multiple of two, so access\r\nuses bitwise operations to split the index into a block and an offset.\r\nFigure 12. Recognizing the std::deque\u003cT\u003e runtime\r\nstd::shared_ptr\u003cT\u003e\r\nSmart pointers control pointer storage and provide limited trash collection, potentially sharing this control with other\r\nobjects. One way to recognize the runtime of a smart pointer is with atomic operations. If the number of shared pointers\r\nto an object decreases to zero, then the control block is deleted.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 6 of 20\n\nFigure 13. Recognizing the std::shared_ptr\u003cT\u003e runtime\r\nstd::filesystem\r\nstd::filesystem provides means for performing operations on file systems and their components, including paths, regular\r\nfiles, and directories. One of the ways to recognize its runtime is the presence of functions with the _std_fs_* prefix, which\r\nindicates operations with the file system.\r\nFigure 14. Recognizing the std::filesystem runtime\r\nIncluding header files\r\nTo avoid creating structures manually, we need to include header files. To determine their location, we run the x86/x64\r\nNative Tools Command Prompt for VS 20XX (depending on the bit depth of the executable file) and enter the echo\r\n%INCLUDE% command. Then we copy all the paths and paste them in Options \u003e Compiler \u003e Include directories. We also\r\nspecify -target x86_64-pc-win32/i386-pc-win32 -x c++ as arguments to include C++ header files.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 7 of 20\n\nFigure 15. Including header files\r\nIn most cases, the element type of containers is set at compile time, so you can't just include a vector header file\r\n(for example) and expect all the element types to be included. Instead, you need to create a separate header file where\r\nthe container element type will be defined explicitly.\r\nFigure 16. Vector structure\r\nDesign pattern used\r\nA design pattern in software engineering is a recurring architectural construct offering a solution to a design problem within\r\na frequently occurring context. This is a rare find in malicious code and indicates that the programmer who wrote\r\nthe backdoor is an experienced professional. The backdoor uses the template method, which is a behavioral design pattern\r\nthat defines the skeleton of an algorithm and defers certain steps to subclasses. The pattern allows subclasses to redefine\r\nthe algorithm's steps without changing its overall structure.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 8 of 20\n\nFigure 17. The template method\r\nThis backdoor pattern is used to create command subclasses that are inherited from the base class and redefine its methods\r\nand fields.\r\nFigure 18. Template method in use\r\nCustom serialization used\r\nIn addition to encryption, the backdoor uses custom serialization to store the configuration and increase flexibility,\r\nas it allows fields to have multiple values in the same token.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 9 of 20\n\nFigure 19. Serialized configuration\r\nFor example, if a container token is negative, then it has another container in its value that may also only be part\r\nof a sequential nesting of containers or unequivocally determine the value of the token (for example, store a string).\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 10 of 20\n\nFigure 20. Deserialization of the configuration\r\nBuffer cache use\r\nA buffer cache is a data structure designed for the temporary storage of data to speed up access to it. The Trinper backdoor\r\nuses caching to reduce access time to frequently used data, minimize latency, and improve overall program performance.\r\nFigure 21. Use of buffer cache\r\nInitialization and execution of main class instances\r\nAt the start, the backdoor deserializes the configuration and gets the name it should have. If it's different, execution\r\nis stopped, but if the names match, the backdoor continues initialization and calls a function to obtain information about\r\nthe victim's computer and collect it with the following type of VictimInfo structure:\r\nstruct struct_VictimInfo\r\n{\r\nDWORD magic;\r\nstruct_VictimData VictimData;\r\n};\r\nstruct struct_VictimData\r\n{\r\nGUID guid;\r\nBYTE pbSecret[16];\r\nBYTE UserNameW[64];\r\nBYTE hostname[32];\r\nBYTE disks[32];\r\nBYTE h_addrs[20];\r\nDWORD KeyboardLayout;\r\nBYTE dwOemId;\r\nBYTE val_64;\r\nBYTE dwMajorVersion;\r\nBYTE dwMinorVersion;\r\nBYTE Authority;\r\nBYTE FileNameW[64];\r\nBYTE AdaptersAddresses[6];\r\n};\r\nThe fields of the VictimInfo structure have the following purposes:\r\nMember Purpose\r\nmagic Magic number 0xB0B1B201\r\nVictimData\r\nMember Purpose\r\nguid Generated GUID\r\npbSecret Session key for AES-128-CBC\r\nUserNameW Username\r\nhostname Host name\r\ndisks Disk names\r\nh_addrs Host address list\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 11 of 20\n\nMember Purpose\r\nMember Purpose\r\nKeyboardLayout System language used\r\ndwOemId Information about the architecture\r\nval_64 Constant value 64\r\ndwMajorVersion Major version of the system\r\ndwMinorVersion Minor version of the system\r\nAuthority Level of integrity\r\nFileNameW File path\r\nAdaptersAddresses Addresses of network adapters\r\nAfter filling in the VictimInfo structure, the backdoor creates and runs these class instances for execution in different\r\nthreads:\r\nCommHTTP — the class for the thread for communication with C2 servers\r\nBgJobFileCapture — the class for the thread that monitors the file system\r\nBgJobKeylogger — the class for the thread where keystrokes will be intercepted\r\nIn its thread, the CommHTTP class parses the deserialized configuration it will use to communicate with C2, generates\r\na session key for AES-128-CBC (with the initialization vector equal to zero), imports the public RSA key, and enters\r\na communication loop with C2 servers where:\r\nCommands are received\r\nResults about command operations are received and sent\r\nFigure 22. CommHTTP class instance execution cycle\r\nAn instance of the BgJobFileCapture class monitors the file system in its thread, loops through all connected disks,\r\nand searches recursively for .doc, .xls, .ppt, .rtf, and .pdf files stored on disks. It also stores execution results in a map with\r\na key (file name) and value (the structure containing information about the file, including its contents).\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 12 of 20\n\nFigure 23. Receiving information about the file system\r\nAn instance of the BgJobKeylogger class intercepts keystrokes in its thread and stores them in a deque, with data from\r\nthe clipboard stored in an unordered map.\r\nFigure 24. Installing the keylogger\r\nConfiguration\r\nThe configuration is encrypted and stored in the .data section, and decryption is carried out with a one-byte key for a regular\r\nXor operation.\r\nFigure 25. Decrypting the configuration\r\nHere's what the decrypted and deserialized configuration structure looks like:\r\nstruct struct_Config\r\n{\r\nDWORD sleep_time;\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 13 of 20\n\nDWORD size;\r\nstd::wstring UserAgent;\r\nstd::wstring wstr_x86;\r\nstd::wstring wstr_x64;\r\nstd::vector\u003cstd::wstring\u003e C2;\r\nQWORD *public_key;\r\nQWORD public_key_len;\r\nstruct_Commands Commands;\r\nstruct_TaskResults TaskResults;\r\n};\r\nstruct struct_Commands\r\n{\r\nstd::wstring Uri;\r\nstd::vector\u003cstd::string\u003e Headers;\r\nstruct_CommandsResponse CommandsResponse;\r\nstruct_CommandsHeaders CommandsHeaders;\r\nQWORD HelloMessage;\r\nQWORD HelloMessageLen;\r\n};\r\nstruct struct_CommandsResponse\r\n{\r\nstd::string TagOpen;\r\nstd::string Encoder;\r\nstd::string TagClose;\r\n};\r\nstruct struct_CommandsHeaders\r\n{\r\nstd::string Header;\r\nstd::string TagOpen;\r\nstd::string Encoder;\r\nstd::string TagClose;\r\n};\r\nstruct struct_TaskResults\r\n{\r\nstd::wstring Uri;\r\nstd::vector\u003cstd::string\u003e Headers;\r\nstruct_TaskResultsData TaskResultsData;\r\nstruct_TaskResultsHeaders TaskResultsHeaders;\r\n};\r\nstruct struct_TaskResultsData\r\n{\r\nstd::string TagOpen;\r\nstd::string Encoder;\r\nstd::string TagClose;\r\n};\r\nstruct struct_TaskResultsHeaders\r\n{\r\nstd::string Header;\r\nstd::string TagOpen;\r\nstd::string Encoder;\r\nstd::string TagClose;\r\n};\r\nThe fields of the Config structure have the following purposes:\r\nMember Purpose\r\nsleep_time Timeout for a CommHTTP class instance in the C2 communication loop\r\nsize Sized of used buffer cache\r\nUserAgent User-Agent used to communicate with C2 servers\r\nwstr_x86 x86 wide string not used\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 14 of 20\n\nwstr_x64 X64 wide string not used\r\nC2 C2 addresses\r\npublic_key Public key for encrypting information about the victim and session key\r\npublic_key_len Length of the public key\r\nCommands\r\nStructure used to receive commands\r\nMember Purpose\r\nUri Command request path\r\nHeaders Custom headers\r\nCommandsResponse\r\nMember Purpose\r\nTagOpen\r\nStart\r\nof command\r\nmask\r\nEncoder\r\nCommand\r\nencoding\r\nalgorithm\r\nTagClose\r\nEnd\r\nof command\r\nmask\r\nCommandsHeaders\r\nMember Purpose\r\nHeader\r\nHeader\r\nstoring\r\ninformation\r\nabout\r\nthe victim\r\nTagOpen\r\nStart of the\r\nheader mask\r\nEncoder\r\nEncoding\r\nalgorithm\r\nTagClose\r\nEnd\r\nof header\r\nmask\r\nHelloMessage Command request string\r\nHelloMessage Command request string length\r\nTaskResults\r\nStructure used to send command operation results\r\nMember Purpose\r\nUri Path of command operation results\r\nHeaders Custom headers\r\nTaskResultsData\r\nMember Purpose\r\nTagOpen\r\nStart of task\r\nresults mask\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 15 of 20\n\nMember Purpose\r\nMember Purpose\r\nEncoder\r\nAlgorithm\r\nfor encoding\r\ntask results\r\nTagClose\r\nEnd of task\r\nresults mask\r\nTaskResultsHeaders\r\nMember Purpose\r\nHeader\r\nHeader\r\nstoring\r\ninformation\r\nabout\r\nthe victim\r\nTagOpen\r\nStart of the\r\nheader mask\r\nEncoder\r\nEncoding\r\nalgorithm\r\nTagClose\r\nEnd of header\r\nmask\r\nCommunication protocol with C2\r\nAll communication with C2 is carried out by an CommHTTP class instance using calls to WININET.DLL library network\r\nfunctions. Information about the victim's computer and session key is encrypted with the public RSA key, encoded using\r\nBase64, and sent to C2 in the Config.Commands.CommandsHeaders header with Config.Commands.HelloMessage\r\nin the request data. The commands received from C2 in response are enclosed between\r\nthe Config.Commands.CommandsResponse.TagOpen and Config.Commands.CommandsResponse.TagClose markers\r\nand encoded using Base64. The task results are encrypted with the AES-128-CBC session key, encoded using Base64,\r\nand enclosed between the Config.TaskResults.TaskResultsData.TagOpen and Config.TaskResults.TaskResultsData.TagClose\r\nmarkers in the request data to C2.\r\nFigure 26. POST request to receive commands\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 16 of 20\n\nFor example, below is a backdoor request to C2 to receive commands. The greeting message in the data\r\nis mid=76\u0026mod=TRINP, and you can see that the User-Agent header doesn't display the content received from\r\nConfig.UserAgent correctly. This is due to an error passing the header value to InternetOpenW. The problem is that\r\nInternetOpenW tries to convert the string for User-Agent from wide to ASCII encoding, but does so incorrectly because\r\nthe pointer to the values from the configuration is passed incorrectly, leading to an undisplayable string generated\r\nat the output.\r\nFigure 27. Request packet to receive commands\r\nCommands\r\nAs mentioned earlier, commands are invoked not by calling a specific function, but by instantiating classes and adding them\r\nto a smart pointer wrapper to be added to a deque for execution, and then retrieved from there and called in the main thread\r\nloop. The table below includes descriptions of the commands.\r\nID Command Description\r\n0x1213C7 Inject Code injection into process\r\n0xF17E09 WriteFile Write to file\r\n0xF17ED0 ReadFile Read from file\r\n0xC033A4D Cmd Execute command using cmd.exe\r\n0x6E17A585 GetRunningTasks Receive commands running currently\r\n0xECEC Exec Reverse shell\r\n0xCD Cd Change of directory\r\n0x108 JobConf Add command in the background\r\n0xD1E Die Backdoor shutdown\r\n0x6177 KillTask End working command\r\n0xC04F SetCommConfValue Configuration update\r\nInsights\r\nThe TaxOff group tricks users by baiting them with time-sensitive material they're expecting at work and attack using\r\na sophisticated multithreaded backdoor called Trinper. After establishing persistent access to compromised systems, they can\r\neffectively manage multiple tasks simultaneously and follow through on various malicious actions without significantly\r\nimpacting system performance. Multithreading provides a high degree of parallelism to hide the backdoor while retaining\r\nthe ability to collect and exfiltrate data, install additional modules, and maintain communications with C2. This combination\r\nof convincing bait and a sophisticated multithreaded backdoor makes TaxOff's attacks particularly dangerous and difficult\r\nto detect and prevent, highlighting the need for continuous user awareness of cyberthreats and the implementation of multi-layered security measures for protection.\r\nIoC\r\nFile indicators\r\nFILE MD5 SHA-1 SHA-256\r\nМатериалы.img fdeb5b2771785dc412227904127e1cae 6e7bf3ef4e53efea9a7b0446f498545e8dc517dc dd3a609b7beb35fb2527\r\nИстория\r\nпоисков.html\r\ne4da6bd811eb3b5adc4ec29fa859c08c e810613df0dbb5d8634e7e5321f5b14c62ccfcf6 00f433c593204eaa1facb\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 17 of 20\n\nFILE MD5 SHA-1 SHA-256\r\nBK_new2.2.EXE 7815db832ef5124935d9b53445a72f49 d45c3392011070e7e827dd3f8d6797725384b1b3 f699c309f0d2547a85f66\r\nDCIM.lnk 468f4b71eac65391d3d59466e21ec379 9a083844696dd8ccce9a6f11d3a9f1227ea639ba 93b07ba651fb6dbebaaa\r\nTrinper\r\ndrive.google.com 463d8f6e597fc7c2acdb3f5a3bae37b6 8dfecf3417b8f2ab96a3591c93223d6802690fe3 2a0c6a66774cc535f51e\r\nPhotoScreenSaver.scr 19354fc1fb24d2eb08de0d46d464b16b 62e27a7e392a48d6cf14040c6fe59dabb8df44a7 6d4fac9e4c36face9e0d0\r\nSearchApps.exe 62739a86a227ad89fa6c57f5c2335220 f5815561dfc63ad12f96a3e86e0f40cd39622373 7e82b3f1be69d34684a4\r\nDotNet35.exe f590d65dce86589b0e0d507cfeef9f68 c3012a66acaea8801446ee61f8213a663eb7a76a e93c1a0696b59a58e244\r\nNetwork indicators\r\n185.158.248.91\r\n193.37.215.111\r\nserver.1cscan.net\r\nusfna.global.ssl.fastly.net\r\nusfnb.global.ssl.fastly.net\r\nusfnc.global.ssl.fastly.net\r\ncfn.global.ssl.fastly.net\r\nfna.global.ssl.fastly.net\r\nfnb.global.ssl.fastly.net\r\nconsult-asset-feed.global.ssl.fastly.net\r\nconsult-vendor-free.global.ssl.fastly.net\r\nconsult-zero-ads.global.ssl.fastly.net\r\nFile signatures\r\nrule PTESC_apt_win_ZZ_TaxOff__Backdoor__Trinper{\r\n strings:\r\n $s1 = \"Task\"\r\n $s2 = \"TaskCd\"\r\n $s3 = \"TaskCmd\"\r\n $s4 = \"TaskExec\"\r\n $s5 = \"TaskGetRunningTasks\"\r\n $s6 = \"TaskInject\"\r\n $s7 = \"TaskDie\"\r\n $s8 = \"TaskJobConf\"\r\n $s9 = \"TaskKillTask\"\r\n $s10 = \"TaskReadFile\"\r\n $code1 = {E8 ?? ?? ?? ?? 44 38 60 ?? 75 ?? 66 39 58 ?? 72 ?? 48 8B 40 ?? 8B 08 EB ??}\r\n $code2 = {48 89 4C 24 ?? 48 8B 44 24 ?? 0F B6 40 ?? 85 C0 75 ?? 48 8B 44 24 ?? 0F B7 40 ?? 83 F8 ?? 7D ?? 33 C0 EB\r\n condition:\r\n ((uint16(0) == 0x5a4d) and (all of($s*)) and (any of($code*)))\r\n}\r\nMITRE TTPs\r\nInitial Access\r\nT1566.002 Phishing: Spearphishing Link\r\nTaxOff used phishing emails with links to malicious\r\nfiles\r\nExecution\r\nT1204.002 User Execution: Malicious File TaxOff used bait files to run the Trinper backdoor\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 18 of 20\n\nInitial Access\r\nDefense Evasion\r\nT1055.012\r\nProcess Injection: Process\r\nHollowing\r\nTaxOff used the Trinper backdoor to inject code into\r\nprocesses\r\nCredential Access\r\nT1187 Forced Authentication TaxOff used a false authorization form\r\nT1056.001 Input Capture: Keylogging\r\nTaxOff used the Trinper backdoor to intercept\r\nkeystrokes\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nTaxOff used the Trinper backdoor to collect file system\r\ninformation\r\nCollection\r\nT1115 Clipboard Data\r\nTaxOff used the Trinper backdoor to access\r\nthe clipboard\r\nT1056.001 Input Capture: Keylogging\r\nTaxOff used the Trinper backdoor to intercept\r\nkeystrokes\r\nCommand And Control\r\nT1071 Application Layer Protocol\r\nTaxOff used http (https) to connect the Trinper\r\nbackdoor to C2\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nTaxOff used the Trinper backdoor to encode received\r\ninformation using Base64\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nTaxOff used the Trinper backdoor to encrypt sent\r\ninformation using AES-256\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography:\r\nTaxOff used the Trinper backdoor to encrypt sent\r\ninformation using RSA\r\nT1090.004 Proxy: Domain Fronting\r\nTaxOff used domain fronting to communicate with\r\nthe Trinper backdoor\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nTaxOff used the Trinper backdoor to automatically\r\nexfiltrate results from executing commands\r\nT1041 Exfiltration Over C2 Channel\r\nTaxOff used the Trinper backdoor to exfiltrate data\r\nto C2\r\nPositive Technologies product verdicts\r\nPT Sandbox\r\napt_win_ZZ_TaxOff__Backdoor__Trinper\r\nMaxPatrol SIEM\r\nSuspicious_Connection\r\nRunAs_System_or_External_tools\r\nRun_Executable_File_without_Meta\r\nSuspicious_Directory_For_Process\r\nPT NAD\r\nBACKDOOR [PTsecurity] Trinper (APT TaxOff) sid: 10012123\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 19 of 20\n\nSUSPICIOUS [PTsecurity] Suspicious HTTP header Trinper (APT TaxOff) sid: 10012124, 10012125\r\nShare link\r\nSource: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/taxoff-um-you-ve-got-a-backdoor/"
	],
	"report_names": [
		"taxoff-um-you-ve-got-a-backdoor"
	],
	"threat_actors": [
		{
			"id": "17e10d0c-1e0d-46ae-b618-e38257652da1",
			"created_at": "2026-02-04T02:00:03.706015Z",
			"updated_at": "2026-04-12T02:00:03.971851Z",
			"deleted_at": null,
			"main_name": "Team46",
			"aliases": [
				"TaxOff"
			],
			"source_name": "MISPGALAXY:Team46",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434413,
	"ts_updated_at": 1775960500,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ee128098200cde713030187d1380bcaeba7f148.pdf",
		"text": "https://archive.orkl.eu/9ee128098200cde713030187d1380bcaeba7f148.txt",
		"img": "https://archive.orkl.eu/9ee128098200cde713030187d1380bcaeba7f148.jpg"
	}
}