Team46 and TaxOff: Two Sides of the Same Coin

Oct. 29, 2025, 6:23 p.m.

Description

This intelligence report reveals that Team46 and TaxOff are likely the same APT group, now referred to as Team46. The analysis compares their attack methods, including the use of similar PowerShell commands, URL patterns, and loader functionality. Both groups utilized zero-day exploits and developed sophisticated malware, indicating a long-term strategy for maintaining persistence in compromised systems. The report details the encryption layers and decryption process of the Trinper backdoor, as well as the use of auxiliary tools for system reconnaissance. The unified group's infrastructure mimics legitimate services, and their techniques include phishing emails, DLL hijacking, and the use of Cobalt Strike beacons.

External References

https://ptsecurity.com/research/pt-esc-threat-intelligence/team46-i-taxoff-dve-storony-odnoi-medali
https://otx.alienvault.com/pulse/6901f129a41c174ffad3e746
Tags
cobalt strike
dante
trinper
2025-10-29
taxoff
team46

Date

  • Created: Oct. 29, 2025, 10:49 a.m.
  • Published: Oct. 29, 2025, 10:49 a.m.
  • Modified: Oct. 29, 2025, 6:23 p.m.

Indicators

  • https://srv510786.hstgr.cloud/ordinary.php?id=9826fbb409f65dc6b068b085551bf4f3
  • https://srv480138.hstgr.cloud/uploads/scan_3824.pdf'
  • https://srv480138.hstgr.cloud/report.php?query=$env:COMPUTERNAME'
  • https://mil-by.info/#/i?id=[REDACTED]
  • https://infosecteam.info/other.php?id=jdcz7vyqdoadr31gejeivo6g30cx7kgu
  • srv510786.hstgr.cloud
  • infosecteam.info
  • mil-by.info
  • srv480138.hstgr.cloud
Download all indicators here!

Attack Patterns

  • Dante
  • Trinper
  • Cobalt Strike - S0154
  • Team46

Additional Informations

  • Telecommunications
  • Government
  • Russian Federation

Linked vulnerabilities

CVE-2024-6473

7.8
    Yandex
  • Yandex Browser
Published: September 3, 2024

CVE-2025-2783

8.3
    Google
  • Chrome
    Microsoft
Published: March 26, 2025