Tomiris Unleashes "Havoc" With New Tools, Tactics TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityPrompt Injections Loom Large Over ChatGPT's Atlas BrowserPrompt Injections Loom Large Over ChatGPT's Atlas BrowserbyAlexander CulafiNov 26, 20256 Min ReadVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskThreat IntelligenceVulnerabilities & ThreatsNewsTomiris Unleashes 'Havoc' With New Tools, TacticsThe Russian-speaking group is targeting government and diplomatic entities in CIS member states and Central Asia in its latest cyber-espionage campaign.Jai Vijayan, Contributing WriterDecember 1, 20253 Min ReadSource: Skorzewiak via ShutterstockThe Russian-speaking Tomiris cyber-espionage group is wielding new attack tools and techniques in an ongoing campaign targeted at foreign ministries, intergovernmental organizations and government entities across the Commonwealth of Independent States (CIS).  Kaspersky researchers, who have been tracking the threat actor's activities since 2021, identified the new malicious operations beginning in early 2025 and described them as impacting high-value diplomatic and political infrastructure. Tomiris' Tactical ShiftsThe attacks stand out for two major tactical shifts, according to Kaspersky. First, Tomiris has begun routing its command-and-control (C2) traffic through popular messaging platforms such as Telegram and Discord to blend malicious activity with legitimate network use.  Second, the group is now deploying malware across multiple programming languages to enhance adaptability and stealth. Tomiris is using the implants — written in Go, Rust, C, C++, C#, Python, and other languages — to deploy second stage payloads on compromised systems. Those payloads are usually Havoc or AdaptixC2, which are open source C2 frameworks the attackers use to enable hands-on control over infected systems."The evolution in tactics underscores the threat actor's focus on stealth, long-term persistence, and the strategic targeting of government and intergovernmental organizations," Kaspersky said in a recent blog post. "The use of public services for C2 communications and multi-language implants highlights the need for advanced detection strategies, such as behavioral analysis and network traffic inspection, to effectively identify and mitigate such threats."Related:CodeRED Emergency Alert Platform Shut Down Following CyberattackTomiris is an advanced persistent threat (APT) group focused on stealing internal documents from government and diplomatic entities across CIS countries and Central Asia. The group is known for its persistence rather than its sophistication, repeatedly cycling through disposable "burner" malware — written in languages like Go and .NET — until one variant successfully evades security defenses on targeted systems. The threat actor's brute-force approach and limited concern for operational stealth makes Tomiris somewhat different from more cautious nation-state APT groups, but it remains dangerous all the same, according to Kaspersky.In previous operations, Tomiris has deployed some of the same malware tools used by Turla, a threat group linked to Russia's Federal Security Service, raising questions about tool sharing or cooperation between the two entities. But despite these overlaps, Kaspersky has assessed that Tomiris and Turla are separate entities based on their distinct targeting priorities and operational methods.Related:Police Disrupt 'Cryptomixer,' Seize Millions in CryptoInfection Chain and Detection ChallengesTomiris' infection chain in the ongoing campaign begins, as in previous campaigns, with phishing emails containing malicious password-protected archives, with passwords typically included in the email text. The archives contain malicious executables masquerading as legitimate documents through filename manipulation, including fake document extensions followed by numerous blank spaces that conceal the actual executable extension when victims preview the file.More than half of the malicious emails and lure documents that Kaspersky analyzed were crafted in Russian and contained Russian-themed content, indicating the group's main emphasis on Russian-language targets, Kaspersky said. In at least some instances, Kaspersky found Tomiris targeting victims in Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan with the attack content customized in each nation's primary language.The malware that Tomiris is using includes one tool written in Rust that can automatically harvest system information, hunt for specific documents and images with common extensions like .pdf and .jpg, and send the data to attacker-controlled Discord servers. Another tool, written in Python, actively collects files matching specific types, compresses them into a single archive, and uploads the package to C2 servers. Related:Shai-hulud 2.0 Variant Threatens Cloud EcosystemOther backdoor components enable the attackers to execute remote commands on infected systems, upload and download files and stop running processes. Kaspersky also discovered Tomiris actors using specialized proxy tools to, among other things, pivot from an infected system to other computers within the victim environment.The increasingly popular tactic of using legitimate platforms such as Telegram and Discord for C2 and malware distribution can pose significant detection challenges for enterprise security teams and other defenders. Often, these services are whitelisted in enterprise environments because employees use them for collaboration and communication purposes. Detecting abuse typically involves investments in deep traffic inspection capabilities, and behavioral analysis tools.About the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry ReportsForrester Wave: for Network Analysis and Visibility Solutions, Q4 2025Gartner Magic Quadrant for Network Detection and Response, 20252025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactbyRobert Lemos, Contributing WriterNov 25, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersESG Open NDR: A Flexible and Powerful Platform for Detections and Data Across Hybrid EnvironmentsRansomware: The case for Open NDRSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Russian-speaking cyber espionage group, Tomiris, is currently engaged in a sophisticated campaign targeting government and diplomatic entities across the Commonwealth of Independent States (CIS) and Central Asia. As detailed by Kaspersky researchers, who have been tracking the group since 2021, this recent activity, commencing in early 2025, represents a significant escalation in their tactics. The group’s actions are characterized by two key shifts: the utilization of popular messaging platforms like Telegram and Discord for command-and-control (C2) traffic, and the deployment of malware across a diverse range of programming languages – Go, Rust, C, C++, C#, Python, and others – to maximize adaptability and stealth.

Tomiris’s tactical evolution underscores a deliberate focus on stealth, long-term persistence, and strategic targeting of high-value diplomatic and political infrastructure. The deployment of open-source C2 frameworks, Havoc and AdaptixC2, highlights the group’s operational approach. Kaspersky emphasizes that despite demonstrable overlaps with toolsets used by the Russian Federal Security Service (FSB), identified through Turla, Tomiris and Turla are distinct entities, differentiated by their specific targeting priorities and operational methods. This suggests a complex network of collaboration and information exchange within the Russian intelligence apparatus.

The infection chain begins with phishing emails containing malicious password-protected archives. These archives conceal executable files, employing filename manipulation – typically adding numerous blank spaces before the actual executable extension – to evade detection during preview. More than half of the analyzed malicious emails and lure documents were crafted in Russian and incorporated Russian-themed content, indicating a primary emphasis on Russian-language targets. Notably, Tomiris has demonstrated an ability to tailor attack content to specific national languages, as evidenced by targeted campaigns in Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan.

The malware utilized by Tomiris incorporates several distinct components. A Rust-based tool efficiently harvests system information, actively hunts for files with common extensions like .pdf and .jpg, and automatically uploads the collected data to Discord servers controlled by the attackers. Another tool, written in Python, functions as a file collector, compresses identified files and uploads them to C2 servers.

Beyond these core functions, Tomiris employs additional backdoor components that allow for remote command execution, file uploading and downloading, and the disabling of running processes, further solidifying their ability to maintain persistent access. Evidence suggests they also leverage specialized proxy tools to pivot within compromised networks, showcasing a sophisticated understanding of network security principles.

The group’s increasing reliance on established platforms, such as Telegram and Discord, for C2 and malware distribution presents significant detection challenges for enterprise security teams. These platforms are commonly whitelisted in business environments due to their widespread use for communication and collaboration, creating a blurring of the lines between legitimate and malicious activity. Successfully identifying and mitigating this threat requires advanced detection strategies, including in-depth network traffic inspection and behavioral analysis.

Tomiris’s operational approach – a brute-force method with limited regard for operational stealth – sets it apart from more cautious nation-state APT groups. Despite this, the group remains a credible threat, due to Russia’s demonstrated involvement in cyber espionage activities. Investigations suggest a connection to the FSB's Turla group, highlighting the potential for information sharing or cooperation between these entities. The group’s activity underscores the evolving landscape of cyber threats and the imperative for organizations to continually adapt their security strategies to address emerging risks.