The attacker, known as Tomiris, is believed to have targeted the Russian Ministry of Foreign Affairs, intergovernmental organizations, and government agencies with the goal of establishing remote access and deploying additional tools.
“These attacks highlight a notable change in Tomiris’ tactics, namely the increasing use of implants that leverage public services (such as Telegram and Discord) as command-and-control (C2) servers,” Kaspersky researchers Oleg Kupreev and Artem Ushkov said in an analysis. “This approach may be aimed at mixing malicious traffic with legitimate service activity to avoid detection by security tools.”
The cybersecurity firm said more than 50% of the spear-phishing emails and decoy files used in the campaign used Russian names and contained text in Russian, indicating that Russian-speaking users or entities were the primary focus. Spear phishing emails also target Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan, using customized content written in each country’s language.
Attacks targeting high-value political and diplomatic infrastructure use a combination of reverse shells, custom implants, and open-source C2 frameworks such as Havoc and AdaptixC2 to facilitate post-exploitation processing.
Details about Tomiris first emerged in September 2021, when Kaspersky Lab uncovered the inner workings of a backdoor of the same name and identified a link between SUNSHUTTLE (also known as GoldMax), the malware used by Russian APT29 hackers behind the SolarWinds supply chain attack, and Kazuar, the .NET-based spying backdoor used by Turla.
Despite these overlaps, Tomiris is assessed to be a separate threat actor primarily focused on intelligence gathering in Central Asia. In a report published in December 2024, Microsoft linked the Tomiris backdoor to a Kazakhstan-based threat actor tracked as Storm-0473.
Subsequent reports from Cisco Talos, Seqrite Labs, Group-IB, and BI.ZONE strengthened this hypothesis, with analysis identifying overlap with clusters called Cavalry Werewolf, ShadowSilk, Silent Lynx, SturgeonPhisher, and YoroTrooper.
The latest activity documented by Kaspersky started with a phishing email containing a malicious password-protected RAR file. The password to open the archive is included in the body of the email. Inside the file is an executable file that pretends to be a Microsoft Word document (*.doc.exe). When started, it drops a C/C++ reverse shell that is responsible for gathering system information and connecting to the C2 server to retrieve AdaptixC2.
The reverse shell also makes changes to the Windows registry to ensure persistence of the downloaded payload. This year alone, three different versions of the malware have been detected.
Alternatively, RAR archives propagated via email have been found to deliver other malware families, which trigger their own infection sequences.
A Rust-based downloader that collects system information and sends it to a Discord webhook. Create Visual Basic Script (VBScript) and PowerShell script files. Then use cscript to launch VBScript. This will run a PowerShell script and retrieve a ZIP file containing the executable files associated with Havoc. A Python-based reverse shell that uses Discord as a C2 to receive commands, execute them, and extract the results to a server. Conduct reconnaissance. It also downloads the next stage of implants, including AdaptixC2 and the Python-based FileGrabber, which collects files matching jpg, .png, .pdf, .txt, .docx, and .doc. Extension. A Python-based backdoor called Distopia. It is based on the open source dystopia-c2 project and uses Discord as a C2 to run console commands and download additional payloads. This includes a Python-based reverse shell that uses Telegram for C2 to run commands on the host and send the output back to the server.
Tomiris’ malware arsenal also includes numerous reverse shells and implants written in various programming languages.
AC# Reverse Shell that uses Telegram to receive commands Rust-based malware named JLORAT that can run commands and take screenshots Rust-based reverse shell that uses PowerShell as a shell instead of “cmd.exe” Go-based reverse shell that establishes a TCP connection to run commands via “cmd.exe” Telegram A reverse SOCKS proxy written in AC# Reverse Shell C++ that establishes a TCP connection to run commands via AC# Reverse Shell and C++ to run commands and copy any files to the location ‘C:\Users\Public\Libraries\’ to run commands via ‘cmd.exe’. Modify the open source Reverse-SOCKS5 project to remove debug messages and hide the console window. Reverse SOCKS proxy written in Golang. Modify the open source ReverseSocks5 project to remove debug messages and hide the console window.
“The Tomiris 2025 campaign leverages multilingual malware modules to increase operational flexibility and evade detection by appearing less suspicious,” Kaspersky said. “The evolution of tactics highlights threat actors’ focus on stealth, long-term persistence, and strategic targeting of governments and intergovernmental organizations.”
Source link
