Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets

Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets

Tomiris, a threat actor linked to intelligence-gathering in Central Asia, has shifted to using public-service command-and-control (C2) implants like Telegram and Discord. Kaspersky reports that 50% of spear-phishing emails in its 2025 campaign targeted Russian-speaking users with Russian-language content.

Why This Matters

The technical reality of modern cyberattacks contrasts sharply with idealized models of network security. By leveraging public services for C2 traffic, Tomiris blends malicious activity with legitimate user behavior, evading detection by traditional security tools. This tactic increases the risk for government entities, which are now facing multi-language malware campaigns designed for long-term persistence across Central Asian and Russian networks.

Key Insights

• “50% of spear-phishing emails targeted Russian-speaking users, 2025”: Kaspersky analysis of Tomiris’ 2025 campaign.
• “Public-service C2 (Telegram/Discord) for stealth, per Kaspersky 2025”: Implants use open platforms to mask malicious traffic.
• “Multi-language malware (C#, Rust, Go) used by Tomiris, per Kaspersky 2025”: Includes reverse shells, SOCKS proxies, and file harvesters.

Practical Applications

• Use Case: Government networks using public services for C2, leading to stealthy breaches.
• Pitfall: Over-reliance on public services for C2 may lead to false positives in traffic analysis.

References:

• https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html