- Tomiris APT targets government agencies with multi-language malware implants
- Group hides C2 traffic on Telegram/Discord, using phishing for initial access
- The campaign focuses on state-level intelligence and affects Russia and Central Asian institutions.
Tomiris, a Russian-speaking APT hacker group, has narrowed its attack focus on government ministries, intergovernmental organizations and politically important institutions.
This is according to a new report from cybersecurity researchers Kaspersky, which states that since the beginning of 2025 there has been a wave of intrusions in which Tomiris deployed a large arsenal of multilingual implants.
The tools, written in Go, Rust, Python, and PowerShell (among others), were designed for flexibility and obfuscation, as well as making attribution difficult.
Targeting Russian and Central Asian victims
Tomiris was said to now be hiding its command and control (C2) infrastructure in public services like Telegram or Discord, helping it hide malicious traffic within normal encrypted messaging flows.
Various reverse shells, such as Tomiris Python, Discord ReverseShell or Tomiris Python Telegram ReverseShell, completely depend on these platforms both to receive commands and to extract stolen data.
Initial access is usually achieved through phishing, using rules written in Russian. Once stage one malware is deployed, attackers would lie in wait, execute system commands, and deploy stage two malware. Kaspersky also said that frameworks like Havoc and AdaptixC2 appear in later phases and are used for persistence, lateral movement, and device takeover.
More than half of Tomiris’ phishing lures were said to target Russian-speaking individuals or institutions. The rest are found in Central Asian countries such as Turkmenistan, Kyrgyzstan, Tajikistan and Uzbekistan. Kaspersky also emphasizes that this is not an opportunistic crime, but rather a campaign focused on state-level intelligence gathering.
“The evolution of tactics underscores the threat actor’s focus on stealth, long-term persistence, and strategic targeting of governments and intergovernmental organizations,” Kaspersky concludes. “The use of utilities for C2 communications and multilingual implants highlights the need for advanced detection strategies, such as behavioral analysis and network traffic inspection, to effectively identify and mitigate such threats.”
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
