Skip to main content
Threat Radar animated logo
DashboardThreatsMapFeedsAPILifetime Access
reconnecting
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2

0
Medium
Malwareapttomiris powershell telegram backdooradaptixc2multi-language malwaretomiris c# reverseshelltomiris c/c++ reverseshelltomiris python telegram reverseshellreverse shellstelegramtomiris python discord reverseshellgovernment targetsdiscordjlorattomiris c# telegram reverseshellhavoctomiris rust downloadertomiris python filegrabberdistopia backdoortomiris go reversesockstomiris go reverseshelltomiris rust reverseshelltomiris c++ reversesockst1071t1140t1219t1036t1572t1021t1090t1059t1102t1204t1566t1027t1553t1573t1095t1132t1105
Published: Fri Nov 28 2025 (11/28/2025, 08:31:24 UTC)
Source: AlienVault OTX General

Description

Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.

AI-Powered Analysis

AILast updated: 12/30/2025, 22:20:41 UTC

Technical Analysis

Kaspersky researchers identified a new wave of malicious activity by the Tomiris threat actor beginning in early 2025. Tomiris is an advanced persistent threat (APT) group targeting foreign ministries, intergovernmental organizations, and government entities, with a focus on Russian-speaking users and Central Asian countries. The group has evolved its toolset to include multiple reverse shell implants written in diverse programming languages such as Go, Rust, C, C#, C++, and Python. These implants enable remote command execution and control over compromised systems. Notably, Tomiris leverages public communication platforms like Telegram and Discord as command-and-control (C2) channels, which helps evade traditional network defenses by blending malicious traffic with legitimate services. The campaign also involves deploying open-source post-exploitation frameworks such as Havoc and AdaptixC2, which facilitate further system compromise, lateral movement, credential harvesting, and data exfiltration. The use of multiple languages and frameworks indicates a modular and flexible approach, allowing the group to tailor attacks to specific environments and evade detection. The threat actor employs a broad range of techniques mapped to MITRE ATT&CK, including application layer protocol abuse (T1071), obfuscation (T1140), remote access tools (T1219), masquerading (T1036), and use of legitimate services for C2 (T1102). While no known exploits are currently reported in the wild, the sophistication and targeting profile suggest a high risk for espionage and intelligence gathering operations. The campaign’s reliance on public platforms for C2 and multi-language implants complicates detection and mitigation efforts, requiring advanced monitoring and threat hunting capabilities.

Potential Impact

For European organizations, especially those involved in diplomatic, governmental, or intergovernmental activities, this threat poses a significant risk of espionage, data theft, and operational disruption. The use of reverse shells and post-exploitation frameworks enables attackers to gain persistent access, move laterally within networks, and exfiltrate sensitive information. The targeting of Russian-speaking users and Central Asian countries suggests potential spillover or indirect targeting of European entities with geopolitical ties or collaborations in these regions. The use of public platforms like Telegram and Discord for C2 communications can bypass traditional perimeter defenses, increasing the likelihood of successful intrusions. Compromise of foreign ministries or intergovernmental organizations could lead to exposure of confidential diplomatic communications, strategic plans, and sensitive negotiations, undermining national security and international relations. The medium severity rating indicates that while the threat is sophisticated, it is currently targeted rather than widespread, but the potential impact on confidentiality and integrity of critical information is substantial.

Mitigation Recommendations

European organizations should implement advanced network monitoring to detect unusual traffic patterns to public platforms such as Telegram and Discord, especially from sensitive systems. Deploy endpoint detection and response (EDR) solutions capable of identifying multi-language reverse shell behaviors and post-exploitation frameworks like Havoc and AdaptixC2. Conduct threat hunting exercises focusing on indicators of compromise related to Tomiris, including unusual use of scripting languages and network connections to known C2 platforms. Enforce strict application whitelisting and code execution policies to limit the execution of unauthorized binaries and scripts. Regularly update and patch all systems, including those running legacy or less common programming environments, to reduce the attack surface. Enhance user awareness training to recognize spear-phishing and social engineering attempts that may serve as initial infection vectors. Segment networks to limit lateral movement opportunities and implement multi-factor authentication (MFA) on all remote access points. Collaborate with national cybersecurity centers and share threat intelligence to stay informed on evolving TTPs of Tomiris and related APT groups.

Affected Countries

RussiaRussia
KazakhstanKazakhstan
UzbekistanUzbekistan
UkraineUkraine
GermanyGermany
FranceFrance
United KingdomUnited Kingdom
PolandPoland
Need more detailed analysis?Upgrade to Pro Console

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/tomiris-new-tools/118143/"]
Adversary
Tomiris
Pulse Id
69295ddc667844c92d7554d0
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip188.127.227.226
ip188.127.231.136
ip185.173.37.67
ip185.244.180.169
ip188.127.225.191
ip188.127.251.146
ip192.153.57.189
ip192.153.57.9
ip192.165.32.78
ip193.149.129.113
ip206.188.196.191
ip64.7.199.193
ip77.232.39.47
ip77.232.42.107
ip78.128.112.209
ip82.115.223.210
ip82.115.223.218
ip82.115.223.78
ip85.209.128.171
ip88.214.25.249
ip88.214.26.37
ip91.219.148.93
ip94.198.52.200
ip94.198.52.210
ip96.9.124.207

Hash

ValueDescriptionCopy
hash078be0065d0277935cdcf7e3e9db4679
hash087743415e1f6cc961e9d2bb6dfd6d51
hash091fbacd889fa390dc76bb24c2013b59
hash09913c3292e525af34b3a29e70779ad6
hash0ddc7f3cfc1fb3cea860dc495a745d16
hash0f955d7844e146f2bd756c9ca8711263
hash1083b668459beacbc097b3d4a103623f
hash1241455da8aadc1d828f89476f7183b7
hash2ed5ebc15b377c5a03f75e07dc5f1e08
hash2fba6f91ada8d05199ad94affd5e5a18
hash33ed1534bbc8bd51e7e2cf01cadc9646
hash42e165ab4c3495fade8220f4e6f5f696
hash4edc02724a72afc3cf78710542db1e6e
hash536a48917f823595b990f5b14b46e676
hash6a49982272ba11b7985a2cec6fbb9a96
hash72327bf7a146273a3cfec79c2cbbe54e
hash83267c4e942c7b86154acd3c58eaf26c
hash9a9b1ba210ac2ebfe190d1c63ec707fa
hash9ea699b9854dde15babf260bed30efcc
hashabb3e2b8c69ff859a0ec49b9666f0a01
hashb8fe3a0ad6b64f370db2ea1e743c84bb
hashc0f81b33a80e5e4e96e503dbc401cbee
hashc26e318f38dfd17a233b23a3ff80b5f4
hashc73c545c32e5d1f72b74ab0087ae1720
hashc75665e77ffb3692c2400c3c8dd8276b
hashcd46316aebc41e36790686f1ec1c39f0
hashd3641495815c9617e58470448a1c94db
hashdf95695a3a93895c1e87a76b4a8a9812
hashf1dca0c280e86c39873d8b6af40f7588
hash29ee3910d05e248cfb3ff62bd2e85e9c76db44a5
hash451cfa10538bc572d9fd3d09758eb945ac1b9437
hash5315a400da8ff4aebec025a4bde734068910201d
hash5684972ded765b0b08b290c85c8fac8ed3fea273
hash633885f16ef1e848a2e057169ab45d363f3f8c57
hash7190377a590c719089830e0f5ce050bc03f0710f
hash8e1641e1e1b24f41f4267c113540dc8cbee0ae65
hash93000d43d5c54b07b52efbdad3012e232bdb49cc
hasha5e7e75ee5c0fb82e4dc2f7617c1fe3240f21db2
hashc3929c555f4b61458030b70bc889baca8d777abc
hashc96beb026dc871256e86eca01e1f5ba2247a0df6
hashce4912e5cd46fae58916c9ed49459c9232955302
hashdd98dcf6807a7281e102307d61c71b7954b93032
hashe8ab26b3141fbb410522b2cbabdc7e00a9a55251
hashec7269f3e208d72085a99109a9d31e06b4a52152
hashf546861adc7c8ca88e3b302d274e6fffb63de9b0
hash148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda
hash22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab
hash4420148744799563bd559cd6bd42ac10ffe0cc2895c0f5366288272d3b947eec
hash4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288
hash57bba9dc05df51765b83559e9df7798c389a9c23f13f15a22077c242b8d6f558
hash6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252
hash7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf
hash8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c
hashab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d
hashae562641ccd56f6735cb93eb4c6beba1f40921281a103f2c9e7f339bdabd0e20
hashb4add80567c915eadffd00f022ca738a7eb4552aedad9da8ea658f04ca693bfc
hashbe519d0acca77865ed569f16774e7ecb096a5a6ed0b6fe70ab5d5b438964cc11
hashcc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06
hashd59577c808e5fc0c67cfaf17fb64cd92c2ed4cb3b6c6bd7110836c8b4b856170
hashe46a04b9950a29e8638d5ff6508db94bf2811d613995a964cb5953922b02b0ac
hashec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17

Url

ValueDescriptionCopy
urlhttp://188.127.251.146:8080/sbchost.rar
urlhttp://188.127.251.146:8080/sxbchost.exe
urlhttp://192.153.57.9/private/svchost.exe
urlhttp://195.2.79.245/firefox.exe
urlhttp://195.2.79.245/service.exe
urlhttp://195.2.79.245/winload.exe
urlhttp://195.2.79.245/winload.rar
urlhttp://195.2.79.245/winupdate.exe
urlhttp://62.113.115.89/homepage/infile.php
urlhttp://82.115.223.78/private/dwm.exe
urlhttp://82.115.223.78/private/msview.exe
urlhttp://82.115.223.78/private/spoolsvc.exe
urlhttp://82.115.223.78/private/svchost.exe
urlhttp://82.115.223.78/private/sysmgmt.exe
urlhttp://85.209.128.171:8000/AkelPad.rar
urlhttp://88.214.25.249:443/netexit.rar
urlhttp://89.110.98.234/winload.exe
urlhttp://89.110.98.234/winload.rar
urlhttps://docsino.ru/wp-content/private/alone.exe
urlhttps://docsino.ru/wp-content/private/winupdate.exe
urlhttps://sss.qwadx.com/12345.exe
urlhttps://sss.qwadx.com/AkelPad.exe
urlhttps://sss.qwadx.com/netexit.rar
urlhttps://sss.qwadx.com/winload.exe
urlhttps://sss.qwadx.com/winsrv.exe

Threat ID: 6929601cbc8dfaadef995ea8

Added to database: 11/28/2025, 8:41:00 AM

Last enriched: 12/30/2025, 10:20:41 PM

Last updated: 1/19/2026, 8:18:21 AM

Views: 568

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

ThreatFox IOCs for 2026-01-18

Medium
MalwareMon Jan 19 2026

ThreatFox IOCs for 2026-01-17

Medium
MalwareSun Jan 18 2026

LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing

Medium
MalwareSat Jan 17 2026

GootLoader Malware Uses 500–1,000 Concatenated ZIP Archives to Evade Detection

Medium
MalwareSat Jan 17 2026

ThreatFox IOCs for 2026-01-16

Medium
MalwareSat Jan 17 2026

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats