Tomiris APT - New Reverse Shells Abuse Telegram and Discord C2
CORTEX Protocol Intelligence Assessment
Business Impact: Tomiris's expanded toolkit strengthens its ability to gain and maintain access to government and high-value institutional environments across Russia and Central Asia, enabling long-term intelligence collection and potential disruption. Compromise of foreign ministries, intergovernmental bodies, or associated contractors can yield sensitive diplomatic communications, policy drafts, and credentials that may be reused against partner organizations. Technical Context: The campaigns combine T1566 phishing with multi-language loaders and reverse shells that execute attacker commands (T1059) and use T1105 style ingress tool transfer over Telegram, Discord, and HTTP webhooks. By leaning on public services and open source frameworks like AdaptixC2 and Distopia, Tomiris complicates network-based detection and gains flexibility to tailor post-exploitation tooling to each victim.
Strategic Intelligence Guidance
- Enhance targeted phishing controls and awareness for diplomatic, governmental, and policy staff, with particular emphasis on password-protected archives and double extension executables masquerading as office files.
- Implement strict egress controls for high security networks, limiting or blocking outbound connections to public messaging APIs and Discord webhooks except where explicitly justified and monitored.
- Deploy endpoint detection rules for PyInstaller-based binaries, suspicious PowerShell encoded commands, and known Tomiris reverse shell behaviors such as command-and-control over Telegram or Discord.
- Curate and regularly update Tomiris-specific indicators and behavioral analytics in threat hunting playbooks, including filenames, registry persistence keys, and network patterns tied to AdaptixC2 and related frameworks.