Tomiris

Tomiris is a Russian-speaking cyber-espionage threat actor tracked by Kaspersky since 2021 and linked by Microsoft to a Kazakhstan-based threat actor it tracks as Storm-0473. Reporting in the provided content also states Hydra Saiga likely overlaps with the Tomiris cluster and that both operate for Kazakhstani state interests; other reported overlaps/commonalities include UNC1514, YoroTrooper, ShadowSilk, Silent Lynx, Cavalry Werewolf, SturgeonPhisher, and Comrade Saiga. Tomiris is assessed in the content as distinct from Turla, although some tooling overlaps have been noted, and it has also been linked in reporting to malware such as SUNSHUTTLE (GoldMax), Kazuar, JLORAT, and Telemiris. The group conducts long-term espionage against high-value political, diplomatic, and government targets. Reported targeting includes foreign ministries, intergovernmental organizations, government entities, and diplomats in Russia and across Central Asia/CIS, including Kyrgyzstan, Afghanistan, Turkmenistan, Tajikistan, and Uzbekistan. The content states Tomiris has targeted Russian and Central Asian government officials and diplomats, with more than half of analyzed phishing lures using Russian names/text and other lures localized to national languages for regional targets. Tomiris commonly gains initial access through spear-phishing emails carrying password-protected RAR archives or malicious Word documents/executables disguised as documents, including .doc.exe filename masquerading. The content describes use of phishing emails themed as official government communications, economic development, or partnerships. Tomiris is described as using a broad malware arsenal written in multiple languages including C/C++, C#, Go, Rust, Python, and PowerShell. Reported tooling includes custom reverse shells, backdoors, file grabbers, reverse SOCKS proxies, and open-source post-exploitation frameworks such as Havoc and AdaptixC2. Malware capabilities described in the content include collecting system information, searching for and uploading files, executing remote commands, downloading additional payloads, stopping processes, screen monitoring, and lateral movement/pivoting via proxy tools. One Tomiris backdoor capability explicitly mentioned is uploading files matching hardcoded extensions such as .doc, .docx, .pdf, and .rar. A notable evolution in recent campaigns is Tomiris’s use of legitimate messaging platforms as covert command-and-control and exfiltration channels, especially Telegram and Discord. The content states Tomiris routes C2 traffic through Telegram and Discord, uses Telegram bot-based tools for command execution and data theft, and uses Discord webhooks/channels for exfiltration of system details, file lists, documents, and images. The group is described as persistent and operationally flexible, cycling through disposable malware variants until one evades detection, modifying open-source projects to reduce visibility, and reusing filenames, archive passwords, and infrastructure across campaigns. Persistence via Windows Registry Run keys is also explicitly mentioned. Overall, the provided content characterizes Tomiris as a likely Kazakhstan-aligned espionage actor focused on stealth, persistence, and intelligence collection against government and diplomatic infrastructure in Russia and Central Asia/CIS.