Executive Summary
In late 2025, the state-sponsored threat actor Tomiris escalated its attacks against government entities and intergovernmental organizations, primarily in Russia and neighboring regions. The group notably shifted its tactics by deploying custom remote access implants that leveraged public cloud services, such as Telegram and Discord, as command-and-control (C2) channels. This allowed Tomiris to disguise their network traffic among legitimate service use, evading conventional perimeter defenses and security controls. The compromise enabled attackers to maintain persistent access, deploy additional payloads, and potentially exfiltrate sensitive diplomatic and policy data.
This incident is significant due to its demonstration of the evolving sophistication in APT tactics: the use of ubiquitous public platforms for C2, making detection and attribution harder. It also highlights the urgency for zero trust architectures, enhanced traffic monitoring, and cloud-centric security controls as industries face an increase in nation-state and intelligence-motivated threats.
Why This Matters Now
Tomiris’s adoption of public-service-based implants represents a broader trend among advanced threat actors who seek stealth by blending malicious traffic with popular, trusted cloud communication apps. Many governments and enterprises are now especially vulnerable due to increased reliance on cloud collaboration platforms, underscoring the urgent need for continuous monitoring, cloud-aware segmentation, and adaptive egress policies.
Attack Path Analysis
Tomiris gained initial access to targeted government networks, likely through spear-phishing or exploitation of exposed services. The threat actor escalated privileges to gain broader administrative control within cloud environments. They then moved laterally between workloads and sensitive assets, leveraging existing credentials and internal network trust. Implants were deployed for persistent command and control using public services such as Telegram and Discord to evade detection. Sensitive data was exfiltrated over encrypted or covert channels, ultimately leading to strategic impact on targeted organizations’ operations and confidentiality.
Kill Chain Progression
Initial Compromise
Description
The attacker phished government staff or exploited exposed cloud services to establish an initial foothold.
MITRE ATT&CK® Techniques
Ingress Tool Transfer
Proxy: Multi-hop Proxy
Web Service
Phishing
Encrypted Channel
Registry Run Keys/Startup Folder
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan Testing and Awareness
Control ID: 12.10.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 11
CISA ZTMM 2.0 – Continuous Monitoring Across Communication Channels
Control ID: C2 - Visibility and Analytics
NIS2 Directive – Security Requirements for Essential Entities
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of Tomiris APT attacks via Telegram/Discord C2 channels, requiring enhanced east-west traffic security and zero trust segmentation for foreign ministry protection.
International Affairs
Foreign ministries face direct targeting from state-sponsored actors using public service implants, necessitating encrypted traffic controls and multicloud visibility for diplomatic communications.
Computer/Network Security
Security practitioners must develop countermeasures against stealthier C2 tactics leveraging legitimate platforms, requiring advanced threat detection and anomaly response capabilities.
Telecommunications
Communication infrastructure vulnerable to APT lateral movement and data exfiltration through compromised government channels, demanding robust egress security and policy enforcement measures.
Sources
- Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targetshttps://thehackernews.com/2025/12/tomiris-shifts-to-public-service.htmlVerified
- Tomiris APT Targets Diplomats with Havoc and AdaptixC2 Open-Source Frameworkshttps://www.technadu.com/tomiris-apt-targets-diplomatic-entities-in-new-campaign-using-multi-language-reverse-shells-havoc-and-adaptixc2-open-source-frameworks/614742/Verified
- Kaspersky investigates Tomiris APT group targeting government entities in CIShttps://www.kaspersky.co.uk/about/press-releases/kaspersky-investigates-tomiris-apt-group-targeting-government-entities-in-cisVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying zero trust network segmentation, workload isolation, real-time egress policy enforcement, and advanced threat detection would have thwarted or significantly limited Tomiris’ ability to persist, move laterally, exfiltrate data, and maintain C2. CNSF-aligned controls restrict lateral movement, enforce least privilege, and provide inline inspection to disrupt covert channels over public services.
Control: Cloud Firewall (ACF)
Mitigation: Blocked malicious inbound traffic to cloud services, reducing the attack surface.
Control: Zero Trust Segmentation
Mitigation: Confined role access and limited privilege escalation beyond initial breach point.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral traffic between workloads and across regions.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked outbound connections to unauthorized public SaaS and C2 domains.
Control: Encrypted Traffic (HPE)
Mitigation: Prevented visibility gaps by providing high-performance encrypted traffic inspection and secure data transfer.
Enabled rapid detection and containment of persistent threats to limit operational impact.
Impact at a Glance
Affected Business Functions
- Government Communications
- Diplomatic Correspondence
- Intergovernmental Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive diplomatic communications and government documents due to unauthorized remote access established by the Tomiris APT group.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce network-level zero trust segmentation to isolate workloads and minimize lateral movement pathways.
- • Apply stringent outbound egress controls to limit access to only sanctioned domains and services, preventing covert C2 and exfiltration.
- • Deploy real-time threat detection and anomaly response to identify suspicious behaviors and compromised endpoints promptly.
- • Ensure encryption and inspection capabilities are in place to catch and control unauthorized data flows, even over encrypted channels.
- • Centralize visibility and governance across multicloud and hybrid environments to rapidly detect, investigate, and respond to advanced persistent threats.
