Team46

MISP

Type:
Unknown

Country:
Unknown

First seen:
Unknown

Details:

Team46 is a sophisticated APT group active since at least late 2024, targeting Russian government, academic, and media organizations through spearphishing emails disguised as forum invitations or service notifications. They exploit zero-day vulnerabilities like CVE-2025-2783 in Google Chrome (March 2025, Operation ForumTroll) and CVE-2024-6473 in Yandex Browser, deploying multi-stage loaders (e.g., winsta.dll, donut shellcode) that decrypt payloads using machine-specific keys like firmware UUID for environmental guardrails. Key malware includes the Trinper backdoor for keylogging, clipboard theft, file/process discovery, and encrypted C2 exfiltration over HTTPS with domain fronting, alongside auxiliary .NET tools (dirlist.exe, ProcessList.exe) and variants using Cobalt Strike or Dante backdoor; the group employs obfuscation, AMSI bypasses, debugger evasion, and self-deletion for persistence and stealth. Positive Technologies attributes TaxOff operations to Team46 based on identical PowerShell patterns, loaders, and hyphenated CDN-mimicking infrastructure (e.g., ms-appdata-*.global.ssl.fastly.net).

References (2)

Aliases (66)

TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff TaxOff

Metadata

ID:	986
Created:	04/02/2026 04:00
Updated:	09/03/2026 04:00