The threat actor known as Tomiris has been observed conducting a campaign specifically aimed at governmental bodies, intergovernmental organizations, and foreign ministries within Russia. The primary goal of these sophisticated attacks is to secure remote access to the victims’ systems and subsequently deploy further malicious tools for espionage. This recent activity represents a significant and noticeable development in Tomiris’s operational methodology, most notably the heightened reliance on custom implants that harness popular, legitimate communication platforms such as Telegram and Discord to serve as their command-and-control (C2) infrastructure. This particular technique is likely employed to make the malicious network traffic appear legitimate, effectively allowing it to blend in with standard service activity and thereby circumvent existing security detection mechanisms.
Analysis of the campaign reveals a clear focus on targets within the Russian-speaking world, with over half of the spear-phishing emails and decoy documents containing Russian language text and using Russian names. While Russian entities are the core focus, the campaign’s scope extends to Central Asia, with spear-phishing content meticulously tailored in the national languages of Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan. These attacks, which concentrate on high-value political and diplomatic infrastructure, utilize a sophisticated mix of post-exploitation tools, including standard reverse shells, proprietary custom implants, and well-known open-source C2 frameworks such as Havoc and AdaptixC2, all designed to facilitate persistent compromise and data exfiltration.
The initial awareness of Tomiris surfaced in September 2021 when Kaspersky detailed a backdoor sharing the same name. At that time, links were established between the Tomiris backdoor and SUNSHUTTLE (also known as GoldMax), a malware used by the Russian-aligned APT29 group linked to the SolarWinds supply chain attack, as well as Kazuar, a .NET-based espionage backdoor associated with the Turla threat group. However, despite these shared connections in malware lineage and historical overlaps, current assessments suggest that Tomiris operates as a distinct and separate threat actor, with its primary mandate being intelligence collection centered on Central Asian nations.
This hypothesis of Tomiris being a unique entity has been further supported and solidified by numerous reports from other leading cybersecurity firms. Microsoft, in a December 2024 publication, formally linked the Tomiris backdoor to a threat actor based in Kazakhstan that they track under the designation Storm-0473. Additionally, reports from security groups including Cisco Talos, Seqrite Labs, Group-IB, and BI.ZONE have reinforced this conclusion, with their analyses revealing overlaps with various named clusters such as Cavalry Werewolf, ShadowSilk, Silent Lynx, SturgeonPhisher, and YoroTrooper, suggesting a complex, evolving landscape of associated activities.
The most recent documented attack sequence, as reported by Kaspersky, commences with the delivery of spear-phishing emails containing a malicious RAR file that is password-protected. The necessary password to access the archive is conveniently provided within the body of the email itself. Inside the extracted archive, victims find an executable file that is deceptively disguised as a Microsoft Word document, typically named with a *.doc.exe extension. When this masquerading file is executed, it first drops a C/C++ reverse shell. This initial reverse shell is responsible for performing reconnaissance by gathering system information and then establishing contact with a C2 server to download the AdaptixC2 framework, thus completing the initial stage of the system compromise.
Reference:
