Tomiris Shifts To Public-service Implants For Stealthier C2 In...

The threat actor known as Tomiris has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia with an aim to establish remote access and deploy additional tools.

"These attacks highlight a notable shift in Tomiris's tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers," Kaspersky researchers Oleg Kupreev and Artem Ushkov said in an analysis. "This approach likely aims to blend malicious traffic with legitimate service activity to evade detection by security tools."

The cybersecurity company said more than 50% of the spear-phishing emails and decoy files used in the campaign used Russian names and contained Russian text, indicating that Russian-speaking users or entities were the primary focus. The spear-phishing emails have also targeted Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan using tailored content written in their respective national languages.

The attacks aimed at high-value political and diplomatic infrastructure have leveraged a combination of reverse shells, custom implants, and open-source C2 frameworks like Havoc and AdaptixC2 to facilitate post-exploitation.

Details of Tomiris first emerged in September 2021 when Kaspersky shed light on the inner workings of a backdoor of the same name, pinpointing its links with SUNSHUTTLE (aka GoldMax), a malware used by the Russian APT29 hackers behind the SolarWinds supply chain attack, and Kazuar, a .NET-based espionage backdoor used by Turla.

Despite these overlaps, Tomiris is assessed to be a different threat actor that mainly focuses on intelligence gathering in Central Asia. Microsoft, in a report published in December 2024, connected the Tomiris backdoor to a Kazakhstan-based threat actor it tracks as Storm-0473.

Subsequent reports from Cisco Talos, Seqrite Labs, Group-IB, and BI.ZONE have strengthened this hypothesis, with the analyses identifying overlaps with clusters referred to as Cavalry Werewolf, ShadowSilk, Silent Lynx, SturgeonPhisher, and YoroTrooper.

The latest activity documented by Kaspersky begins with phishing emails containing malicious password-protected RAR files. The password to open the archive is included in the text of the email. Present within the file is an executable masquerading as a Microsoft Word document (*.doc.exe) that, when launched, drops a C/C++ reverse shell that's responsible for gathering system

Source: The Hacker News