- Tomiris APT targets government agencies with multilingual malware implants
- Group hides C2 traffic in Telegram/Discord, using phishing for initial access
- Campaign focuses on state-level intelligence and hits institutions in Russia and Central Asia
Tomiris, a Russian-speaking APT hacking group, has targeted its attacks to target government ministries, intergovernmental organizations, and politically important institutions.
This is according to a new report from cybersecurity researchers Kaspersky, which claims that starting in early 2025, there was a wave of intrusions during which Tomiris deployed a vast arsenal of multilingual implants.
The tools, written in Go, Rust, Python, and PowerShell (among others), were designed for flexibility, obfuscation, as well as to make attribution more difficult.
Targeting Russian and Central Asian victims
Tomiris now hides its command and control (C2) infrastructure in public services such as Telegram or Discord, it was said, which helps it hide malicious traffic in normal, encrypted messaging flows.
Several reverse shells, such as Tomiris Python, Discord ReverseShell or Tomiris Python Telegram ReverseShell, rely entirely on these platforms to receive commands and exfiltrate stolen data.
Initial access is usually achieved through phishing, using rules written in Russian. Once the first-stage malware is deployed, attackers hide, execute system commands, and deploy the second-stage malware. Kaspersky also said that frameworks such as Havoc and AdaptixC2 appear in later phases and are used for persistence, lateral movement and device takeover.
More than half of Tomiris’ phishing attempts target Russian-speaking individuals or institutions, it was reported. The rest are located in Central Asian countries like Turkmenistan, Kyrgyzstan, Tajikistan and Uzbekistan. Kaspersky also emphasizes that this is not an opportunistic crime, but rather a campaign focused on state-level intelligence gathering.
“The evolution of tactics highlights that threat actors are focused on stealth, long-term persistence, and strategic targeting of government and intergovernmental organizations,” Kaspersky concludes. “The use of utilities for C2 communications and multilingual implants highlights the need for advanced detection strategies, such as behavioral analysis and network traffic inspection, to effectively identify and mitigate these threats. »
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
