Tomiris is a sophisticated threat actor linked to espionage campaigns targeting government and intergovernmental organizations primarily in Russia and Central Asia, including Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan. The group has evolved its tactics by increasingly leveraging public communication platforms such as Telegram and Discord as covert command-and-control (C2) channels. This tactic allows malicious traffic to blend with legitimate service traffic, complicating detection by traditional security tools. The initial infection vector is spear-phishing emails containing password-protected RAR archives, which include executables disguised as Microsoft Word documents or other malware families. Upon execution, these implants deploy multi-language reverse shells and backdoors written in C/C++, Python, Rust, Go, C#, and PowerShell. These implants perform system reconnaissance, establish persistence via Windows Registry modifications, and communicate with C2 servers to download additional payloads, including open-source frameworks like Havoc and AdaptixC2. The malware suite includes Python-based reverse shells that use Discord or Telegram for C2, Rust-based malware capable of command execution and screenshot capture, and reverse SOCKS proxies for anonymized network tunneling. The campaign’s modular design and use of diverse programming languages enhance operational flexibility and stealth. The threat actor’s focus on high-value political and diplomatic targets, combined with the use of multi-stage infection chains and public-service C2 channels, indicates a long-term, stealthy espionage operation aimed at intelligence gathering and maintaining persistent access.

For European organizations, especially government ministries, diplomatic missions, and intergovernmental bodies, the Tomiris threat represents a significant espionage risk. The use of public communication platforms for C2 complicates network monitoring and intrusion detection, increasing the likelihood of prolonged undetected access. Confidential information, including diplomatic communications and sensitive government data, could be exfiltrated, undermining national security and diplomatic relations. The modular and multi-language malware arsenal allows the threat actor to adapt to different environments, potentially targeting European entities with similar profiles or connections to Central Asia and Russia. The persistence mechanisms and stealthy communication channels increase the difficulty of incident response and eradication. Additionally, the spear-phishing vectors tailored to specific languages and regions suggest that European countries with diplomatic or strategic ties to Central Asia or Russia could be targeted. The operational flexibility and use of open-source C2 frameworks also raise the risk of rapid adaptation to defensive measures, prolonging the threat lifecycle.

European organizations should implement advanced email security solutions capable of detecting and quarantining spear-phishing attempts, especially those involving password-protected archives. Network monitoring should be enhanced to identify anomalous traffic patterns to public services like Telegram and Discord, including the use of threat intelligence feeds to detect known C2 indicators. Endpoint detection and response (EDR) tools must be configured to detect multi-language malware behaviors, such as unusual registry modifications, execution of scripts via cscript, and reverse shell activities. Organizations should enforce strict application whitelisting and disable execution of files with double extensions (e.g., .doc.exe). Regular threat hunting exercises focusing on the presence of Havoc, AdaptixC2, and other open-source C2 frameworks are recommended. Segmentation of critical networks and limiting outbound traffic to only necessary services can reduce exposure. User awareness training should emphasize the risks of spear-phishing and the dangers of opening password-protected attachments from unknown sources. Incident response plans must include procedures for identifying and mitigating stealthy C2 communications over public platforms. Finally, collaboration with national cybersecurity agencies and sharing of threat intelligence related to Tomiris activity will enhance collective defense.