BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Tomiris APT Shifts to Telegram, Discord for Stealthy Cyberattacks

  • The threat actor Tomiris targets government and intergovernmental organizations in Russia and Central Asia.
  • New tactics involve using public services like Telegram and Discord for command-and-control to evade detection.
  • Spear-phishing campaigns use region-specific languages and Russian-themed content, focusing on Russian-speaking targets and Central Asian countries.
  • Multiple Malware families and custom implants are deployed, utilizing various programming languages and open-source frameworks.
  • The group shows operational flexibility with multi-language malware to maintain stealth and long-term persistence.

Tomiris, a threat actor active since at least 2021, has been conducting cyberattacks targeting foreign ministries, government entities, and intergovernmental organizations in Russia and Central Asia. These campaigns aim to gain remote access and deliver additional malicious tools, focusing heavily on intelligence gathering. Attacks have been especially prevalent in Russia, Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan.

- Advertisement -

The group’s recent activity reveals a shift in tactics that includes the use of implants leveraging public platforms like Telegram and Discord for command-and-control (C2) communication. This technique likely helps blend malicious traffic with legitimate service activity, reducing detection risks, as noted by researchers Oleg Kupreev and Artem Ushkov in their analysis.

Spear-phishing emails are crafted carefully with Russian names and text in over half the cases, emphasizing Russian-speaking targets. Other campaigns employ native languages of Central Asian countries. These emails often contain password-protected RAR archives with executables disguised as documents. Once executed, the malware installs reverse shells and backdoors, establishes persistence through Windows Registry modifications, and connects to servers running open-source frameworks such as Havoc and AdaptixC2.

Additional malware delivered via these emails includes a Rust-based downloader that communicates with Discord webhooks, a Python reverse shell using Discord for C2, and a backdoor called Distopia based on the open-source dystopia-c2 project. Distopia uses Discord and Telegram for executing commands and exfiltrating data.

Tomiris also deploys various reverse shells and implants developed in languages like C#, Rust, Go, and PowerShell. These tools utilize Telegram for command reception and operate with multiple communication protocols and techniques. Some employ modified versions of open-source reverse SOCKS proxies written in C++ and Go to hide activity.

- Advertisement -

“The Tomiris 2025 campaign leverages multi-language malware modules to enhance operational flexibility and evade detection by appearing less suspicious,” stated the Cybersecurity company. The evolution in tactics emphasizes stealth, persistence, and targeted attacks on political and diplomatic infrastructures.

Earlier studies associate Tomiris with malware families linked to known Russian APT groups but regard it as a distinct actor primarily focused on Central Asia. Microsoft’s December 2024 report connected the backdoor with a Kazakhstan-based group called Storm-0473, while other analyses noted overlaps with several other clusters such as Cavalry Werewolf, ShadowSilk, and Silent Lynx.

Cyberattacks Illustration

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

China-linked hackers target Indian taxpayers via tax phishing

A suspected China-nexus cyber campaign named Operation DragonReturn is targeting Indian taxpayers and financial...

Alphabet Launches Two New AI Models, Eyes Stock Boost

Alphabet launches two new AI models, Nano Banana 2 Lite and Gemini Omni Flash,...

Nvidia’s Kyber AI rack delayed to 2028: report

NVIDIA's next-generation Kyber server rack, designed for Rubin Ultra chips, is delayed to 2028...

TrojPix Air-Gap Attack Uses Monitor Cables

Researchers at Shandong University have demonstrated a new covert data exfiltration technique called TrojPix.The...

Bitcoin Reclaims $63k as Crypto Market Sees July Reversal

Bitcoin (BTC) reclaimed $63,000 in early July 2026, signaling a market reversal after a...

Must Read

18 Countries With No Privacy Laws According To UN (List)

Privacy laws are legal frameworks designed to protect personal data from unauthorized access, misuse, or disclosure.Lack of privacy laws can lead to misuse of...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading