- Tomiris APT targets government bodies with multi-language malware implants
- Group hides C2 traffic in Telegram/Discord, using phishing for initial access
- Campaign focuses on state-level intelligence, hitting Russia and Central Asian institutions
Tomiris, a Russian-speaking APT hacking group, has narrowed down its attack focus to target government ministries, intergovernmental organizations, and politically significant institutions.
This is according to a new report from cybersecurity researchers Kaspersky, which claims that from early 2025, there has been a wave of intrusions in which Tomiris deployed a large arsenal of multi-language implants.
The tools, written in Go, Rust, Python, and PowerShell (among others), were designed for flexibility, obfuscation, as well as to make attribution more difficult.
Targeting Russian and Central Asian victims
Tomiris is now hiding its command-and-control (C2) infrastructure in public services such as Telegram, or Discord, it was said, which helps it hide malicious traffic inside normal, encrypted messaging flows.
Several reverse shells such as the Tomiris Python, Discord ReverseShell, or the Tomiris Python Telegram ReverseShell, rely completely on these platforms for both receiving commands and exfiltrating stolen data.
Initial access is usually achieved via phishing, using rules written in Russian. Once the stage-one malware is deployed, the attackers would lurk, run system commands, and deploy stage-two malware. Kaspersky also said that frameworks such as Havoc and AdaptixC2 appear in later phases, and are used for persistence, lateral movement, and device takeover.
More than half of Tomiris’s phishing lures target Russian-speaking individuals or institutions, it was said. The rest are located in Central Asian nations such as Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan. Kaspersky also stresses that this is not opportunistic crime, but rather a campaign centered on state-level intelligence collection.
“The evolution in tactics underscores the threat actor’s focus on stealth, long-term persistence, and the strategic targeting of government and intergovernmental organizations,” Kaspersky concludes. “The use of public services for C2 communications and multi-language implants highlights the need for advanced detection strategies, such as behavioral analysis and network traffic inspection, to effectively identify and mitigate such threats.”
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
