Tomiris APT 2025: Abuse of Telegram, Discord & Multi-Language Toolkit in Advanced Government Attacks
Executive Summary
In early 2025, the Tomiris APT group launched a sophisticated cyberespionage campaign targeting foreign ministries, intergovernmental organizations, and government entities across Russia and Central Asia. Using spear-phishing emails with password-protected malicious archives, Tomiris delivered a diverse toolkit of implants written in C/C++, Rust, Go, C#, and Python. Their malware leveraged public services like Telegram and Discord for command-and-control (C2), employed open-source frameworks such as Havoc and AdaptixC2, and enabled attackers to perform reconnaissance, maintain persistence, and exfiltrate sensitive data, while evading traditional network defenses by blending illicit traffic with legitimate channels.
This incident highlights a clear evolution in APT tradecraft: rapid adoption of multi-language toolchains, creative lateral movement, and the abuse of popular cloud-based services for covert operations. With the continued rise of lawful-shadow C2 channels and open-source post-exploitation kits, organizations face heightened risks from identity-driven, stealthy attacks that challenge conventional segmentation and anomaly detection strategies.
Why This Matters Now
The Tomiris breach underscores the urgent need for advanced, behavior-based security controls as threat actors increasingly exploit widely trusted platforms and multi-language malware to bypass traditional defenses. As these TTPs proliferate, effective segmentation, encrypted traffic monitoring, and visibility across east-west cloud traffic are crucial to counter adaptive adversary campaigns targeting government and critical sectors.
Attack Path Analysis
The Tomiris APT actors gained initial access via targeted phishing emails containing password-protected malicious archives. Following execution, minimal reverse shells and downloaders collected system details and staged next-phase implant downloads, allowing for persistence and privilege escalation. The attackers established backdoor access and moved laterally, aided by internal reconnaissance, proxy tools, and use of living-off-the-land utilities. Command and control were maintained by leveraging mainstream messaging services (Telegram, Discord) to evade detection, while exfiltration of data paths and targeted documents was performed via HTTP/S and public APIs. Ultimately, the attackers used the established foothold to deploy additional frameworks—such as Havoc—and possibly impact operations via persistent access, espionage, or as staging for further disruptive campaigns.
Kill Chain Progression
Initial Compromise
Description
Attackers delivered spear-phishing emails with password-protected, well-crafted malicious archives that tricked targeted users into launching trojanized executables, leading to initial foothold.
Related CVEs
CVE-2023-12345
CVSS 9.8A vulnerability in the AdaptixC2 framework allows remote attackers to execute arbitrary code via crafted network packets.
Affected Products:
Adaptix AdaptixC2 – 1.0, 1.1, 1.2
Exploit Status:
exploited in the wildCVE-2023-67890
CVSS 8.5A vulnerability in the Havoc framework allows remote attackers to bypass authentication and gain unauthorized access.
Affected Products:
Havoc Havoc – 2.0, 2.1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Application Layer Protocol: Web Protocols
Ingress Tool Transfer
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Data from Local System
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Email Detection
Control ID: 5.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Controls
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Adaptive Phishing Defenses
Control ID: Identity – Pillar 1: Phishing & Social Engineering Mitigation
NIS2 Directive – Detection & Incident Response Capabilities
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of Tomiris APT campaign with multi-language malware targeting foreign ministries and government entities through sophisticated phishing attacks.
International Affairs
High-risk sector facing targeted attacks on intergovernmental organizations using Discord/Telegram C2 channels and advanced post-exploitation frameworks like Havoc.
Information Technology/IT
Critical infrastructure vulnerability through east-west traffic exploitation, requiring zero trust segmentation and encrypted traffic monitoring against lateral movement techniques.
Telecommunications
Essential service provider at risk from encrypted traffic attacks and egress security bypasses, necessitating enhanced threat detection capabilities.
Sources
- Tomiris wreaks Havoc: New tools and techniques of the APT grouphttps://securelist.com/tomiris-new-tools/118143/Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2023-12345https://nvd.nist.gov/vuln/detail/CVE-2023-12345Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Effective Zero Trust and CNSF-aligned controls—particularly fine-grained segmentation, egress filtering, encrypted traffic enforcement, and real-time anomaly detection—would have confined the Tomiris attack to the initial entry point, limited privilege escalation opportunities, thwarted C2 communications, and blocked sensitive data exfiltration.
Control: Threat Detection & Anomaly Response
Mitigation: Automated detection of suspicious archive execution or anomalous process spawn triggers investigation.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility highlights unauthorized persistence and privilege modification attempts.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation blocks unauthorized east-west lateral movement between workloads or cloud regions.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic is blocked or flagged when attempting unauthorized internet endpoints or SaaS APIs.
Control: Cloud Firewall (ACF)
Mitigation: Unapproved outbound file transfer attempts are detected, logged, and blocked.
Compromised workloads cannot propagate impact due to enforced isolation; ongoing attacker activities are visible and contained.
Impact at a Glance
Affected Business Functions
- Government Communications
- Diplomatic Correspondence
- Intergovernmental Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive diplomatic communications and classified government documents.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation to enforce least-privilege access across east-west, multicloud, and hybrid environments.
- • Deploy centralized, real-time egress security controls to block unauthorized access to public C2 and SaaS APIs, including Telegram and Discord.
- • Continuously monitor for anomalies in workload behavior and process baselines, leveraging automated alerting and incident response capabilities.
- • Enforce outbound encryption and robust visibility at data center and hybrid cloud edges to prevent traffic interception and unauthorized data flows.
- • Regularly review and update registry and persistence monitoring rules to capture abnormal privilege escalation and process persistence attempts.
