Tomiris APT Group Enhances Stealth with Public Service Command-and-Control in Government Cyberattacks
The cyber espionage group known as Tomiris has intensified its operations against foreign ministries, intergovernmental organizations, and government entities, particularly within Russia and Central Asia. Their primary objective is to establish remote access to these systems and deploy additional malicious tools.
A significant evolution in Tomiris’s tactics is the adoption of public services like Telegram and Discord as command-and-control (C2) servers. This strategy allows the group to camouflage their malicious activities within legitimate network traffic, thereby evading detection by conventional security measures. Kaspersky researchers Oleg Kupreev and Artem Ushkov noted, This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools.
The group’s spear-phishing campaigns predominantly target Russian-speaking users or entities, with over half of the malicious emails and decoy files containing Russian names and text. Additionally, Tomiris has extended its reach to countries such as Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan, utilizing content tailored to each nation’s language to enhance the effectiveness of their attacks.
Tomiris employs a multifaceted arsenal in its cyberattacks, including reverse shells, custom implants, and open-source C2 frameworks like Havoc and AdaptixC2. These tools facilitate post-exploitation activities, enabling the group to maintain persistent access and exfiltrate sensitive information from compromised systems.
First identified in September 2021, Tomiris was initially linked to the SUNSHUTTLE (also known as GoldMax) malware used by the Russian APT29 group in the SolarWinds supply chain attack, as well as to Kazuar, a .NET-based espionage backdoor associated with Turla. Despite these connections, Tomiris is now recognized as a distinct threat actor with a primary focus on intelligence gathering in Central Asia.
Microsoft’s December 2024 report connected the Tomiris backdoor to a Kazakhstan-based threat actor designated as Storm-0473. Further analyses by cybersecurity firms such as Cisco Talos, Seqrite Labs, Group-IB, and BI.ZONE have identified overlaps with clusters referred to as Cavalry Werewolf, ShadowSilk, Silent Lynx, SturgeonPhisher, and YoroTrooper, reinforcing the assessment of Tomiris as a separate entity.
The group’s attack vectors are diverse, often initiating with phishing emails containing malicious, password-protected RAR files. These archives typically house executables disguised as Microsoft Word documents (e.g., .doc.exe). When executed, these files deploy a C/C++ reverse shell that gathers system information and communicates with a C2 server to download additional payloads like AdaptixC2.
To ensure persistence, the reverse shell modifies Windows Registry settings, allowing the malware to survive system reboots. In 2025 alone, three distinct versions of this malware have been detected, indicating continuous development and refinement by Tomiris.
Alternatively, the malicious RAR archives have been found to deliver other malware families, each initiating unique infection sequences:
– Rust-Based Downloader: This variant collects system information and sends it to a Discord webhook. It creates Visual Basic Script (VBScript) and PowerShell script files, executing the VBScript to run the PowerShell script, which then fetches a ZIP file containing an executable associated with Havoc.
– Python-Based Reverse Shell: Utilizing Discord as its C2 server, this malware receives commands, executes them, and exfiltrates the results back to the server. It conducts reconnaissance and downloads subsequent implants, including AdaptixC2 and a Python-based FileGrabber designed to harvest files with extensions such as .jpg, .png, .pdf, .txt, .docx, and .doc.
– Python-Based Backdoor (Distopia): Based on the open-source dystopia framework, this backdoor establishes persistent access to the infected system, allowing for continuous data exfiltration and further exploitation.
The strategic use of public services for C2 operations represents a calculated move by Tomiris to blend malicious activities with legitimate network traffic, complicating detection efforts. This tactic underscores the group’s adaptability and the evolving nature of cyber threats targeting government and diplomatic entities.
Organizations, especially those within the public sector, must remain vigilant against such sophisticated threats. Implementing robust cybersecurity measures, including employee training on recognizing phishing attempts, regular system updates, and advanced threat detection systems, is crucial in mitigating the risks posed by groups like Tomiris.
