Tomiris Cyber Espionage: New Campaign Targets Government and Diplomatic Networks

Listen to this Post

Featured Image
The cybersecurity landscape is witnessing a sophisticated escalation as the threat actor known as Tomiris intensifies its operations targeting foreign ministries, intergovernmental organizations, and government entities, particularly in Russia and Central Asia. Known for its stealthy and technically diverse malware toolkit, Tomiris has refined its methods to blend attacks seamlessly with legitimate services, making detection increasingly challenging.

At its core, the campaign aims to establish remote access and deploy additional tools for intelligence gathering. Kaspersky researchers Oleg Kupreev and Artem Ushkov note a marked shift in tactics, with the threat actor now using implants that exploit public platforms such as Telegram and Discord as command-and-control (C2) servers. This approach allows malicious traffic to masquerade as normal communication, evading traditional security defenses.

The attacks rely heavily on spear-phishing. Over 50% of the emails and decoy files were written in Russian, targeting Russian-speaking individuals and organizations. Other targeted regions include Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan, with localized content in national languages to maximize success. High-value political and diplomatic infrastructure has been compromised using a combination of reverse shells, custom implants, and open-source C2 frameworks like Havoc and AdaptixC2.

Tomiris first came to light in 2021 through Kaspersky’s research on a backdoor linked to SUNSHUTTLE (aka GoldMax) and Kazuar, malware associated with Russian APT29 and Turla groups. Despite technical overlaps, Tomiris operates independently, focusing on intelligence gathering in Central Asia. Microsoft has linked the backdoor to a Kazakhstan-based actor, Storm-0473, a connection further reinforced by reports from Cisco Talos, Seqrite Labs, Group-IB, and BI.ZONE, which align Tomiris with clusters like Cavalry Werewolf, ShadowSilk, Silent Lynx, SturgeonPhisher, and YoroTrooper.

The 2025 campaign begins with phishing emails containing malicious RAR archives. The email provides a password to unlock the file, which hides an executable disguised as a Word document (.doc.exe). Executing the file drops a C/C++ reverse shell, harvesting system information and contacting a C2 server to fetch AdaptixC2. This shell also modifies Windows Registry settings to ensure persistence. Multiple versions of this malware have already been detected this year.

Alternative infection paths include:

A Rust-based downloader sending system data to Discord webhooks, executing VBScript and PowerShell scripts to retrieve Havoc-related executables.

A Python-based reverse shell leveraging Discord for C2, performing reconnaissance and downloading next-stage implants like AdaptixC2 and FileGrabber, capable of harvesting common document and image formats.

A Python-based Distopia backdoor built on the open-source dystopia-c2 project, using Discord for command execution and downloading additional payloads, including Python reverse shells operating over Telegram.

Tomiris’ malware arsenal is diverse, incorporating multiple languages and functionalities:

C reverse shells using Telegram or TCP for command execution

Rust malware (JLORAT) with screenshot capabilities

PowerShell backdoors for arbitrary file downloads

C++ and Go SOCKS proxies modified from open-source projects for stealth operations

According to Kaspersky, this multi-language and multi-platform approach increases operational flexibility, stealth, and long-term persistence, underscoring the actor’s strategic focus on high-value governmental and intergovernmental targets.

What Undercode Say:

The Tomiris campaign represents a significant evolution in cyber-espionage tactics, blending social engineering with highly adaptive malware deployment. By leveraging common communication platforms like Telegram and Discord, the threat actor demonstrates a deep understanding of how to bypass conventional detection mechanisms. Using these platforms as C2 channels allows Tomiris to mimic normal traffic, reducing the risk of triggering security alerts.

Targeting Russian-speaking users initially, but branching out to Central Asian countries with localized content, reflects a highly tailored operational strategy. This indicates that Tomiris is not indiscriminate; instead, it focuses on high-value political, diplomatic, and governmental targets where intelligence payoff is substantial. The use of multi-language malware enhances stealth and allows for cross-platform persistence, a technique increasingly favored in modern APT campaigns.

The modularity of Tomiris’ toolkit—ranging from Rust, Go, C, Python, to PowerShell—allows it to adapt to various environments. For example, Rust-based tools like JLORAT demonstrate a shift toward memory-safe, high-performance malware capable of sophisticated tasks, such as screenshotting and data exfiltration. Meanwhile, the reliance on open-source C2 frameworks like Havoc and Dystopia allows for rapid development and deployment of custom payloads without reinventing foundational code, highlighting the actor’s efficiency and technical sophistication.

Another key observation is the focus on persistence. Registry modifications, multi-stage infection sequences, and cross-language payloads indicate a long-term intelligence-gathering objective rather than short-term disruption. This suggests that Tomiris’ operations are likely funded and supported at a level that allows for sustained espionage activities.

Furthermore, the campaign’s regional focus provides insight into geopolitical priorities. Central Asian states—Turkmenistan, Kyrgyzstan, Tajikistan, Uzbekistan, and Kazakhstan—are increasingly involved in global political, energy, and strategic interests, making them prime targets for espionage. Tomiris’ activity in these areas aligns with intelligence-gathering objectives that could inform broader geopolitical strategies.

From a defensive standpoint, organizations must enhance multi-layered security: behavioral analytics to detect disguised traffic, improved email filtering to catch spear-phishing, and endpoint monitoring capable of detecting cross-language malware. Monitoring commonly used platforms like Telegram and Discord for abnormal traffic could serve as an early warning mechanism, though this is challenging given the volume of legitimate activity.

Finally, the campaign underscores the convergence of traditional APT techniques with modern cloud and communication platforms. Tomiris exemplifies how threat actors are evolving: instead of relying solely on zero-day exploits, they exploit human behavior and widely used services to achieve strategic objectives. This hybrid approach significantly raises the bar for cybersecurity teams, requiring both technological and intelligence-driven solutions.

Fact Checker Results:

✅ Tomiris primarily targets Central Asian and Russian-speaking government and diplomatic entities.
✅ Malware arsenal includes Rust, Python, C, Go, PowerShell, and C++ tools for multi-platform persistence.
❌ There is no confirmed link between Tomiris and Russian APT29; overlaps exist but the actor is assessed as independent.

Prediction:

📌 Tomiris’ campaign will likely expand across other geopolitically sensitive regions, leveraging more mainstream platforms as C2 channels.
📌 Multi-language, modular malware frameworks suggest continued evolution toward stealth and persistence.
📌 Organizations in Central Asia and Russia must anticipate increasingly sophisticated social engineering paired with advanced malware to protect high-value assets.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon