Tomiris Hacker Group Enhances Global Cyber Attacks with Advanced Tools and Techniques
The Tomiris hacker group has reemerged with a sophisticated campaign targeting foreign ministries and government entities worldwide. Beginning in early 2025, this advanced persistent threat (APT) actor shifted its operational strategy to focus on high-value diplomatic infrastructure. By leveraging a diverse array of programming languages—including Go, Rust, C/C++, and Python—the group has enhanced its ability to bypass traditional security measures while maintaining a low profile within compromised networks.
Spear-Phishing Tactics
Tomiris initiates its attacks with precision spear-phishing emails containing password-protected archives. These emails often disguise malicious executables with double extensions or misleading office document icons, effectively obscuring the initial infection vector. The passwords for these archives typically follow predictable patterns, such as min@2025, yet this simple obfuscation effectively bypasses automated email scanners.
Command-and-Control Evolution
Once executed, the payloads establish persistence and deploy additional malicious tools and backdoors. Notably, Tomiris has increasingly adopted public services like Telegram and Discord for command-and-control (C2) communications. This tactical evolution allows malicious traffic to blend seamlessly with legitimate network activity, complicating detection efforts by security teams. Furthermore, the group has begun deploying open-source post-exploitation frameworks such as Havoc and AdaptixC2, signaling a move toward more modular and resilient attack chains. This blend of custom implants and open-source tools makes attribution and mitigation significantly more challenging for defenders.
The Rust Downloader Mechanism
A standout component of this campaign is the previously undocumented Tomiris Rust Downloader. Unlike typical data exfiltration tools, this implant performs targeted reconnaissance by scanning specific drives for sensitive file types, including .pdf, .docx, and .xlsx. Interestingly, it does not immediately steal these files; instead, it compiles a list of file paths and transmits this data to a Discord webhook using a multipart POST request. The malware employs a payload_json field for system information and a file field for the path list, ensuring structured data exfiltration.
The malware is programmed to avoid detection by ignoring specific directories such as Program Files, Windows, and AppData. Upon successfully sending the file list, the downloader creates a Visual Basic script (`script.vbs`) that executes a PowerShell script (`script.ps1`). This script contains a loop that attempts to retrieve a secondary payload—often a ZIP archive containing further executables—every minute.
This meticulous approach to reconnaissance and staged delivery highlights the group’s intent to remain undetected while systematically identifying high-value data for future exfiltration and exploitation.
