BURSTA sophisticated attack campaign exploiting a Google Chrome zero-day vulnerability tracked as CVE-2025-2783, marking yet another instance of advanced persistent threat (APT) groups leveraging previously unknown security flaws to compromise high-value targets.
The vulnerability, which enables sandbox escape capabilities, has been actively exploited since March 2025 by the TaxOff group, according to analysis conducted by Positive Technologies Expert Security Center.
Phishing Campaign Delivers One-Click Exploits
The attack chain begins with carefully crafted phishing emails designed to appear as legitimate invitations to high-profile events, including the Primakov Readings forum.
When victims click malicious links embedded in these emails, the CVE-2025-2783 exploit triggers automatically, bypassing Chrome’s security sandbox and installing the Trinper backdoor without requiring additional user interaction.
The attackers demonstrated advanced social engineering techniques, with one October 2024 campaign using emails disguised as invitations to an international conference titled “Security of the Union State in the modern world”.
These emails contained malicious links following the pattern https://mil-by[.]info/#/i?id=[REDACTED], which downloaded archives containing shortcuts that executed PowerShell commands such as:
| Risk Factors | Details |
| Affected Products | Google Chrome versions prior to 108.0.5359.125 |
| Impact | Remote code execution |
| Exploit Prerequisites | User interaction (clicking malicious link), unpatched Chrome version |
| CVSS 3.1 Score | 9.6 (Critical) |
Technical analysis reveals the Trinper backdoor employs sophisticated anti-analysis techniques through a multi-layered encryption system.
The malware loader utilizes a custom implementation that includes five distinct encryption layers, incorporating both ChaCha20 and modified BLAKE2b hashing algorithms.
The loader performs several environmental checks before payload execution, including verification that it runs within specific processes using modified BLAKE2b hashing algorithms.
Most notably, the malware uses the target system’s firmware UUID obtained through the GetSystemFirmwareTable function as part of its decryption process, ensuring the payload can only be decrypted on the intended victim’s machine.
The decryption process also leverages the ImagePathName from the Process Environment Block (PEB) structure as an additional decryption key.
If successful, the final layer reveals either a donut loader containing the Trinper backdoor or, in some variants, Cobalt Strike payloads.
Researchers have established strong connections between the TaxOff group and another threat actor known as Team46, suggesting they may be the same organization operating under different identities.
Both groups employ similar PowerShell command structures, URL patterns, and identical loader functionality.
This campaign underscores the ongoing threat posed by APT groups with access to zero-day exploits and highlights the critical importance of maintaining updated browser security patches and implementing robust email security controls to prevent initial compromise vectors.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Google Chrome 0-Day Vulnerability Exploited by APT Hackers in the Wild appeared first on Cyber Security News.