Kaspersky Lab has identified a cyber espionage campaign organized by the Tomiris APT group that has been going on since the beginning of the year. The company told Gazeta.Ru that the main targets of the attacks were government agencies and diplomatic missions in Russia and the CIS countries. For initial access, attackers use targeted phishing emails containing malicious archives. Attached executables are disguised as official documents, the content of which is tailored to a specific organization and country. One of the recorded lures were letters requesting feedback on projects allegedly related to the development of regions in Russia. Running the file leads to device infection. Analysis shows that more than half of the emails and decoy files in the 2025 campaign contained text in Russian, indicating a preferential direction of attacks on Russian-speaking organizations. The rest of the letter is adapted to Turkmenistan, Kyrgyzstan, Tajikistan and Uzbekistan in national languages. Tomiris uses a multi-layered infrastructure to anchor itself to the system. At the initial stage, reversible shells written in different programming languages are used, then additional tools are implemented, including the AdaptixC2 and Havoc frameworks. In some cases, attackers use public platforms Telegram and Discord as command servers. The malware focuses on finding and stealing sensitive data, including .jpg, .jpeg, .png, .txt, .rtf, .pdf, .xlsx, and .docx files. “Tomiris' tactics in new campaigns have clearly evolved: they aim to hide malicious activity as much as possible, as well as gain a permanent foothold in the system. This, among other things, is facilitated by the use of malicious implants in different languages. The group increasingly relies on tools that use public services such as Telegram and Discord as command servers. Most likely, this is how the attackers are trying to cover up hide malicious traffic in the legitimate operation of these services,” said cybersecurity expert at “Kaspersky Lab” Oleg Kupreev. For the first time, the company's experts reported on Tomiris's activities in 2021. Previously, the group also focused on attacks on government agencies in the CIS, the main goal of which was the theft of internal documents.
