- Tomiris APT targets government agencies with multilingual malware implants
- The group hides C2 traffic in Telegram/Discord using phishing for initial access
- The campaign focuses on state-level intelligence targeting Russia and Central Asian institutions
Tomiris, a Russian-speaking APT hacking group, has narrowed its attack focus to target government ministries, intergovernmental organizations and politically significant institutions.
This is according to a new report from cyber security researchers Kaspersky, which claims that from the beginning of 2025 there has been a wave of intrusions in which Tomiris deployed a large arsenal of multilingual implants.
The tools, written in Go, Rust, Python, and PowerShell (among others), were designed for flexibility, obfuscation, and to make attribution more difficult.
Targeted Russian and Central Asian victims
Tomiris now hides its command-and-control (C2) infrastructure in public services such as Telegram or Discord, it said, which helps it hide malicious traffic in normal, encrypted message streams.
Several reverse shells, such as Tomiris Python, Discord ReverseShell, or Tomiris Python Telegram ReverseShell, rely entirely on these platforms to both receive commands and exfiltrate stolen data.
Initial access is usually achieved via phishing using rules written in Russian. Once the stage malware is deployed, the attackers would lurk, run system commands and deploy the stage two malware. Kaspersky also said that frameworks such as Havoc and AdaptixC2 appear in later stages and are used for persistence, lateral movement and device takeover.
More than half of Tomiris’ phishing lures target Russian-speaking individuals or institutions, it said. The rest are located in Central Asian nations such as Turkmenistan, Kyrgyzstan, Tajikistan and Uzbekistan. Kaspersky also emphasizes that this is not opportunistic crime, but rather a campaign centered on state-level intelligence gathering.
“The evolution in tactics underscores the threat actor’s focus on stealth, long-term persistence, and the strategic targeting of government and intergovernmental organizations,” concludes Kaspersky. “The use of public services for C2 communications and multilingual implants highlights the need for advanced detection strategies, such as behavioral analysis and network traffic inspection, to effectively identify and mitigate such threats.”
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
