Ethical Hacking News
The rise of Tomiris, a sophisticated cyber threat actor, has been marked by its use of public services as command-and-control servers and spear-phishing emails targeting government entities and intergovernmental organizations in Russia. The attacks have leveraged a combination of reverse shells, custom implants, and open-source C2 frameworks to facilitate post-exploitation, highlighting the challenges faced by security professionals in detecting and responding to these threats.
The cybersecurity landscape has seen a shift with sophisticated threat actors evading detection by traditional security measures. Threat actor Tomiris uses implants leveraging public services like Telegram and Discord as command-and-control (C2) servers, making it challenging to detect attacks. Tomiris uses spear-phishing emails, decoy files, and custom implants to facilitate post-exploitation and evade detection by security measures. The threat actor has been connected to other known threats, including Storm-0473 and Cavalry Werewolf clusters. Tomiris's tactics involve using phishing emails with malicious RAR archives that deliver malware payloads, creating complexity for security professionals in detecting and responding to attacks.
The cybersecurity landscape has witnessed a significant shift in recent years, with the emergence of sophisticated threat actors that have adapted to evade detection by traditional security measures. One such actor, known as Tomiris, has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia, aiming to establish remote access and deploy additional tools.
According to Kaspersky researchers Oleg Kupreev and Artem Ushkov, the threat actor has been using implants that leverage public services such as Telegram and Discord as command-and-control (C2) servers. This approach aims to blend malicious traffic with legitimate service activity, making it challenging for security tools to detect the attacks.
The use of public services as C2 servers is a notable shift in Tomiris's tactics, and Kaspersky researchers have noted that this approach likely aims to evade detection by security tools. The threat actor has also been using spear-phishing emails and decoy files with tailored content written in Russian national languages, targeting users or entities in Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan.
The attacks have leveraged a combination of reverse shells, custom implants, and open-source C2 frameworks such as Havoc and AdaptixC2 to facilitate post-exploitation. The use of these tools has allowed Tomiris to adapt its tactics and evade detection by security measures.
Microsoft had previously connected the Tomiris backdoor to a Kazakhstan-based threat actor it tracks as Storm-0473, while subsequent reports from Cisco Talos, Seqrite Labs, Group-IB, and BI.ZONE have strengthened this hypothesis. The analyses have identified overlaps with clusters referred to as Cavalry Werewolf, ShadowSilk, Silent Lynx, SturgeonPhisher, and YoroTrooper.
The latest activity documented by Kaspersky begins with phishing emails containing malicious password-protected RAR files. The password to open the archive is included in the text of the email, presenting an executable masquerading as a Microsoft Word document that, when launched, drops a C/C++ reverse shell responsible for gathering system information and contacting a C2 server to fetch AdaptixC2.
The reverse shell also makes Windows Registry modifications to ensure persistence for the downloaded payload. Three different versions of the malware have been detected this year alone.
Alternatively, the RAR archives propagated via the emails have been found to deliver other malware families, which in turn trigger their own infection sequences. This complexity highlights the challenges faced by security professionals in detecting and responding to attacks attributed to Tomiris.
The emergence of threat actors like Tomiris underscores the evolving nature of modern cyber threats. As threat actors adapt and evolve their tactics, it is essential for security professionals to stay informed about the latest developments and best practices to counter these threats.
In light of this context, it is clear that the cybersecurity landscape requires a comprehensive approach to detect and respond to attacks attributed to sophisticated threat actors like Tomiris. Security professionals must remain vigilant and proactive in monitoring for signs of attack and implementing effective countermeasures to mitigate the impact of such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Tomiris-A-Sophisticated-Cyber-Threat-Actor-Evasion-and-Stealth-in-Modern-Attacks-ehn.shtml
https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html
https://cyberscoop.com/turla-infiltrates-pakistani-apt-networks-microsoft-lumen/
https://thehackernews.com/2024/12/russia-linked-turla-exploits-pakistani.html
Published: Mon Dec 1 00:05:45 2025 by llama3.2 3B Q4_K_M
