Two sides of the same coin

April 21, 2025, 12:45 p.m.

Description

This intelligence report analyzes the similarities between two previously separate APT groups, Team46 and TaxOff, concluding they are likely the same entity. The analysis covers their shared tactics, techniques, and procedures, including similar PowerShell commands, loader functionality, and infrastructure patterns. Key findings include the use of zero-day exploits, complex malware development, and long-term persistence strategies. The report details the groups' use of multi-layered encryption in their loaders, custom obfuscation techniques, and various malware tools like Trinper backdoor and Cobalt Strike. The combined group, now referred to as Team46, demonstrates sophisticated capabilities in targeted attacks against protected infrastructures.

External References

https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/team46-i-taxoff-dve-storony-odnoi-medali
https://otx.alienvault.com/pulse/6802c8019d40fa74671e9c6c
Tags
backdoor
loader
obfuscation
apt
powershell
cobalt strike
zero-day
encryption
CVE-2024-6473
CVE-2025-2783
2025-04-18
dante
trinper

Date

  • Created: April 18, 2025, 9:45 p.m.
  • Published: April 18, 2025, 9:45 p.m.
  • Modified: April 21, 2025, 12:45 p.m.

Attack Patterns

  • Dante
  • Trinper
  • Cobalt Strike - S0154
  • Team46