Full Report
The threat actor known as Tomiris has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia with an aim to establish remote access and deploy additional tools. "These attacks highlight a notable shift in Tomiris's tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as
Analysis Summary
# Threat Actor: Tomiris
## Attribution & Identity
Attributed to attacks primarily focusing on intelligence gathering in Central Asia. Associated with Russian-speaking threat activity. Microsoft connects the Tomiris backdoor to a Kazakhstan-based threat actor tracked as **Storm-0473**. Overlaps identified with clusters named **Cavalry Werewolf**, **ShadowSilk**, **Silent Lynx**, **SturgeonPhisher**, and **YoroTrooper**. Historical links noted with **SUNSHUTTLE** (linked to APT29) and **Kazuar** (.NET-based espionage backdoor used by Turla), though assessed to be a distinct actor.
## Activity Summary
Tomiris targets high-value political and diplomatic infrastructure. Recent activity involves spear-phishing campaigns using lure documents within password-protected RAR archives (password provided in the email body). The ultimate goal is to establish remote access for deploying additional tools.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails often containing malicious password-protected RAR files.
- **Execution:** Executable masquerading as a Microsoft Word document (`*.doc.exe`) dropped from the archive.
- **Persistence:** Making modifications to the Windows Registry to ensure persistence for downloaded payloads.
- **Command and Control (C2):** Increased use of implants leveraging public services, specifically **Telegram** and **Discord**, as C2 channels to evade detection.
- **Post-Exploitation:** Leveraging reverse shells, custom implants, and open-source C2 frameworks.
- Utilized **Havoc** and **AdaptixC2** frameworks.
- Used a Rust-based downloader to communicate with Discord webhooks.
- Used Python-based reverse shells communicating via Discord.
- **Defense Evasion:** Blending malicious traffic with legitimate public service activity.
- **Discovery/Collection:** Gathering system information.
- **Lateral Movement/Payload Delivery:** Downloading next-stage implants such as AdaptixC2 and a Python-based FileGrabber.
## Targeting
- **Sectors:** Foreign ministries, intergovernmental organizations, and government entities (high-value political and diplomatic infrastructure).
- **Geography:** Primary focus on **Russia**. Secondary targeting noted in **Turkmenistan**, **Kyrgyzstan**, **Tajikistan**, and **Uzbekistan**.
- **Victims:** Government entities within the specified geographic regions.
## Tools & Infrastructure
- **Malware Families Used:**
- Custom C/C++ reverse shell.
- Rust-based downloader.
- Python-based reverse shell.
- Python-based FileGrabber.
- Python-based backdoor dubbed **Distopia** (based on the *o* implementation, truncated in context).
- **AdaptixC2** (framework/implant).
- **Havoc** (open-source C2 framework).
- **Infrastructure (C2):**
- Public services, primarily **Telegram** and **Discord** (used as C2 communication channels).
- Discord webhooks (used by the Rust downloader).
## Implications
Tomiris demonstrates an evolving operational security posture by migrating C2 communications to widely used public platforms (Telegram/Discord). This behavior allows the actor to blend in with significant volumes of legitimate service traffic, complicating network monitoring and threat detection efforts by security tooling designed to spot traditional, dedicated C2 infrastructure. The focus remains on critical government and diplomatic infrastructure in Russia and Central Asia.
## Mitigations
- Enhance monitoring and traffic analysis of outbound connections heading to known public/commercial services like Telegram and Discord, looking for anomalous command-and-control patterns (e.g., specific message formats, unusual volume, or timing).
- Improve detection capabilities for initial access vectors, specifically analyzing password-protected RAR files delivered via spear-phishing and scrutinizing executable files masquerading as common document types (`*.doc.exe`).
- Implement strong endpoint detection and response (EDR) to monitor for unusual dynamic-link library (DLL) loading, system registry modifications for persistence, and the execution of reverse shells or frameworks like Havoc.
- Increase scrutiny of email content targeting Russian or Central Asian personnel, looking for tailored content in national languages or references to Russian names, as this is a key indicator of Tomiris/Storm-0473 targeting.