- The threat actor Tomiris targets government and intergovernmental organizations in Russia and Central Asia.
- New tactics involve using public services like Telegram and Discord for command-and-control to evade detection.
- Spear-phishing campaigns use region-specific languages and Russian-themed content, focusing on Russian-speaking targets and Central Asian countries.
- Multiple Malware families and custom implants are deployed, utilizing various programming languages and open-source frameworks.
- The group shows operational flexibility with multi-language malware to maintain stealth and long-term persistence.
Tomiris, a threat actor active since at least 2021, has been conducting cyberattacks targeting foreign ministries, government entities, and intergovernmental organizations in Russia and Central Asia. These campaigns aim to gain remote access and deliver additional malicious tools, focusing heavily on intelligence gathering. Attacks have been especially prevalent in Russia, Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan.
The group’s recent activity reveals a shift in tactics that includes the use of implants leveraging public platforms like Telegram and Discord for command-and-control (C2) communication. This technique likely helps blend malicious traffic with legitimate service activity, reducing detection risks, as noted by researchers Oleg Kupreev and Artem Ushkov in their analysis.
Spear-phishing emails are crafted carefully with Russian names and text in over half the cases, emphasizing Russian-speaking targets. Other campaigns employ native languages of Central Asian countries. These emails often contain password-protected RAR archives with executables disguised as documents. Once executed, the malware installs reverse shells and backdoors, establishes persistence through Windows Registry modifications, and connects to servers running open-source frameworks such as Havoc and AdaptixC2.
Additional malware delivered via these emails includes a Rust-based downloader that communicates with Discord webhooks, a Python reverse shell using Discord for C2, and a backdoor called Distopia based on the open-source dystopia-c2 project. Distopia uses Discord and Telegram for executing commands and exfiltrating data.
Tomiris also deploys various reverse shells and implants developed in languages like C#, Rust, Go, and PowerShell. These tools utilize Telegram for command reception and operate with multiple communication protocols and techniques. Some employ modified versions of open-source reverse SOCKS proxies written in C++ and Go to hide activity.
“The Tomiris 2025 campaign leverages multi-language malware modules to enhance operational flexibility and evade detection by appearing less suspicious,” stated the Cybersecurity company. The evolution in tactics emphasizes stealth, persistence, and targeted attacks on political and diplomatic infrastructures.
Earlier studies associate Tomiris with malware families linked to known Russian APT groups but regard it as a distinct actor primarily focused on Central Asia. Microsoft’s December 2024 report connected the backdoor with a Kazakhstan-based group called Storm-0473, while other analyses noted overlaps with several other clusters such as Cavalry Werewolf, ShadowSilk, and Silent Lynx.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Lawmakers, White House Push Crypto Rules Ahead of Year-End Vote
- North Korea’s Lazarus Group Leads Spear Phishing Crypto Attacks
- Bitcoin and Ether Drop Over 3% Amid Yearn Finance Hack Panic
- Cocoon Decentralized AI Network Launches on TON Blockchain
- Metroid Prime 4 Launches This December on Switch and Switch 2
