Team46 and TaxOff: Two Sides of the Same Coin
Essential information
- Published
- 29/10/2025 10:49
- Modified
- 29/10/2025 18:23
- Tags
- 2025-10-29 cobalt strike dante taxoff team46 trinper
- Related entities
- 2 vulnerabilities (cve), 9 observables, 1 intrusion sets (apt), 14 techniques (mitre), 3 malware, 3 others
Description
This intelligence report reveals that Team46 and TaxOff are likely the same APT group, now referred to as Team46. The analysis compares their attack methods, including the use of similar PowerShell commands, URL patterns, and loader functionality. Both groups utilized zero-day exploits and developed sophisticated malware, indicating a long-term strategy for maintaining persistence in compromised systems. The report details the encryption layers and decryption process of the Trinper backdoor, as well as the use of auxiliary tools for system reconnaissance. The unified group's infrastructure mimics legitimate services, and their techniques include phishing emails, DLL hijacking, and the use of Cobalt Strike beacons.