"The threat actor known as Tomiris has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia with an aim to establish remote access and deploy additional tools. "These attacks highlight a notable shift in Tomiris's tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers," Kaspersky researchers Oleg Kupreev and Artem Ushkov said in an analysis."
"The cybersecurity company said more than 50% of the spear-phishing emails and decoy files used in the campaign used Russian names and contained Russian text, indicating that Russian-speaking users or entities were the primary focus. The spear-phishing emails have also targeted Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan using tailored content written in their respective national languages. The attacks aimed at high-value political and diplomatic infrastructure have leveraged a combination of reverse shells, custom implants, and open-source C2 frameworks like Havoc and AdaptixC2 to facilitate post-exploitation."
Tomiris targets foreign ministries, intergovernmental organizations, and government entities to establish remote access and deploy additional tools. The campaign predominantly uses spear-phishing and decoy files tailored in Russian and Central Asian national languages, with over half of lures employing Russian names and text. Implants increasingly leverage public services such as Telegram and Discord as command-and-control channels to blend malicious traffic with legitimate service activity. Post-exploitation tooling includes reverse shells, custom implants, and open-source C2 frameworks like Havoc and AdaptixC2. The Tomiris backdoor shows overlaps with SUNSHUTTLE (GoldMax) and Kazuar while being assessed as a distinct intelligence-focused actor operating mainly in Central Asia and linked to Kazakhstan-based activity tracked as Storm-0473.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]