Since the beginning of 2025, researchers from Kaspersky have observed a new wave of targeted cyber‑espionage operations by the Tomiris APT group against government institutions in Russia and several CIS countries. The campaign focuses primarily on ministries of foreign affairs and diplomatic missions, with the estimated number of affected users exceeding 1,000 accounts within a year.
Tomiris APT: evolving cyber‑espionage against Russia and the CIS
Tomiris was first publicly profiled in 2021 in connection with cyber‑espionage operations against government entities across the CIS region. Earlier campaigns mainly aimed at stealing internal documents and official correspondence. The 2025 activity indicates a clear evolution toward more stealthy, resilient and flexible operations, including diversified toolsets and more agile command‑and‑control (C2) infrastructure.
This shift mirrors broader trends in state‑sponsored cyber‑espionage: attackers increasingly combine custom malware with open‑source tools, multi‑language implants and cloud‑based services to make detection and attribution significantly more difficult.
Phishing-based initial access to government networks
The primary initial access vector remains spear‑phishing emails delivering password‑protected archives. Inside the archive, the victim finds an executable file disguised as a document. Tomiris operators rely on two main tricks: double extensions such as .doc .exe, and excessively long file names that hide the real .exe extension in standard archive viewers.
A user expecting a harmless document inadvertently launches the executable and initiates system compromise. This technique continues to be effective because many users focus on the visible “document” icon and name, not on the actual extension, especially when file extensions are hidden by default in the operating system.
Localized spear-phishing in Russian and Central Asian languages
More than half of the phishing emails and decoy files used in the 2025 campaign are written in Russian, clearly reflecting a priority focus on Russian‑speaking government bodies and state‑linked organizations. The remaining messages target Turkmenistan, Kyrgyzstan, Tajikistan and Uzbekistan, and are localized into the respective national languages.
Localization goes beyond translation: messages are tailored to local institutional realities and diplomatic topics, which substantially increases credibility and open rates. Industry reports consistently show that well‑crafted, localized spear‑phishing remains the dominant entry point for advanced persistent threats (APTs) targeting government networks worldwide.
Command-and-control via Telegram, Discord and custom frameworks
Once the malicious file is executed, Tomiris typically deploys a reverse shell—a small agent that connects out from the infected system to the attackers’ C2 infrastructure and awaits instructions. Analysts have observed implementations written in C/C++, C#, Go, Rust and Python. This language diversity hinders signature‑based detection and allows attackers to adapt payloads to different environments and security controls.
A notable trend is the use of Telegram and Discord as C2 channels. Malicious traffic is blended with normal conversations and API requests from these popular messaging platforms, making it difficult for network monitoring tools to distinguish between legitimate and malicious activity. Many organizations allow such traffic by default, which directly benefits attackers seeking to avoid strict firewall rules and proxy inspections.
AdaptixC2, Havoc and stealthy lateral movement
In later stages of the intrusion, Tomiris expands its presence using AdaptixC2 and Havoc—powerful post‑exploitation and C2 frameworks that provide an operator console for remote control, persistence and module deployment. These frameworks, originally designed for penetration testing and red‑teaming, are increasingly weaponized by APT actors because they offer mature, feature‑rich ecosystems.
For lateral movement inside the victim’s network, Tomiris uses reverse SOCKS proxies based on publicly available projects hosted on GitHub. These proxies create concealed tunnels to internal resources, enabling attackers to reach file servers, email systems and other sensitive assets while appearing as benign, encrypted traffic.
Data theft: documents, images and confidential files
The main objective of Tomiris implants is to identify and exfiltrate confidential data. Infected hosts are scanned for files with extensions .jpg, .jpeg, .png, .txt, .rtf, .pdf, .xlsx, .docx. The inclusion of image formats suggests an interest not only in textual documents but also in scanned passports, signed agreements, and photographs of sensitive information, which are often stored as pictures.
One tool, dubbed Tomiris Rust Downloader, does not immediately upload the files; instead, it sends only lists of file paths to a Discord channel. This significantly reduces suspicious network volume and allows operators to manually select high‑value targets. Another module, known as Tomiris Python FileGrabber, archives selected files into ZIP containers and exfiltrates them via HTTP POST requests, imitating ordinary web traffic and blending with legitimate browsing activity.
Key trends and defensive measures for Russian and CIS organizations
According to Kaspersky’s assessment, the current campaign demonstrates a clear shift toward long‑term, covert presence in victim networks. Use of multi‑language implants, reliance on public messaging platforms for C2, and the combination of custom malware with open‑source code all serve to merge malicious activity with everyday network traffic and evade traditional security tools.
Government agencies and large enterprises in Russia and the CIS should enhance defenses across several layers. On the endpoint and email level, organizations should block execution of binaries directly from archive attachments, disable hiding of file extensions in file explorers, and conduct regular training on recognizing targeted spear‑phishing, including password‑protected archives and double extensions.
On the network side, it is critical to monitor and control the use of Telegram and Discord on workstations and servers, applying strict allow‑listing where possible and inspecting traffic for anomalies. Deployment of modern EDR/XDR solutions, robust network segmentation, enforcement of the principle of least privilege, multi‑factor authentication, and centralized log management with proactive threat hunting significantly improves the chances of early detection.
Publicly available tools and frameworks used inside organizations—especially those sourced from GitHub or similar platforms—should be regularly inventoried and audited, as they can be repurposed by attackers or confused with malicious counterparts, complicating incident response.
Tomiris’ latest operations underscore that cyber‑espionage against diplomatic and government targets in Russia and the CIS is intensifying in sophistication rather than volume alone. Organizations that treat phishing awareness, strict execution controls, and continuous monitoring of messaging and web traffic as strategic priorities will be better positioned to detect APT activity early, limit the impact of successful intrusions, and protect the integrity of sensitive diplomatic information.
