Kaspersky researchers Oleg Kupreev and Artem Ushkov said the threat actor known as Tomiris has targeted foreign ministries, intergovernmental organisations and government entities in Russia to establish remote access and deploy additional tools. The company reported a notable shift toward implants that use public services such as Telegram and Discord as command-and-control channels, a tactic that can blend malicious traffic with legitimate service activity.
More than half of the spear-phishing emails and decoy files observed in the campaign used Russian names and Russian text, Kaspersky reported, while other lures were tailored in the national languages of Turkmenistan, Kyrgyzstan, Tajikistan and Uzbekistan. The intrusions targeted political and diplomatic infrastructure and used a mix of reverse shells, custom implants and open-source C2 frameworks including Havoc and AdaptixC2.
The campaign typically begins with spear-phishing emails that carry password-protected RAR archives; the password is included in the body of the message. The archives have contained executables masquerading as Microsoft Word documents that drop a C/C++ reverse shell to collect system information, contact a command server and fetch the AdaptixC2 implant. The reverse shell also makes Windows Registry changes to maintain persistence, and Kaspersky identified three different versions of that malware this year.
Alternate infection chains observed in the campaign include a Rust-based downloader that reports system data to a Discord webhook, builds VBScript and PowerShell stagers and retrieves a ZIP file tied to Havoc. Researchers also documented a Python reverse shell that uses Discord for C2 to execute commands, exfiltrate results and download next-stage implants such as AdaptixC2 and a Python FileGrabber. A Python backdoor dubbed Distopia is based on the open-source dystopia-c2 project and uses Discord and Telegram for command-and-control and payload delivery.
Kaspersky said the Tomiris toolkit includes modules written in C#, Rust, Go, PowerShell and C++, and the actor has modified open-source projects for reverse SOCKS proxies, including Reverse-SOCKS5 and ReverseSocks5. The firm concluded the use of multi-language malware modules is aimed at operational flexibility, stealth and long-term persistence.