Russian Tomiris APT Adopts “Polyglot” Strategy, Hijacking Telegram/Discord as Covert C2 for Diplomatic Spies
Ddos 
Distopia Backdoor infection schema | Image: Kaspersky Labs
A notorious threat actor known as “Tomiris” has returned with a revamped arsenal, launching a focused campaign against high-level diplomatic and political targets. A new report from Kaspersky Labs reveals that as of early 2025, the Russian-speaking group has adopted a “polyglot” development strategy and is increasingly weaponizing popular chat applications to hide their tracks.
The most significant evolution in Tomiris’s tradecraft is the shift away from traditional command-and-control (C2) servers. Instead, the attackers are now leveraging the trusted infrastructure of public services like Telegram and Discord to manage their infections.
According to the report, “These attacks highlight a notable shift in Tomiris’s tactics, namely the increased use of implants that leverage public services (e.g., Telegram and Discord) as command-and-control (C2) servers.” By routing commands through these legitimate platforms, the group aims to “blend malicious traffic with legitimate service activity to evade detection by security tools.”
Tomiris has moved beyond relying on a single malware strain. The group now deploys a diverse range of tools written in multiple programming languages to bypass defenses. “Most infections begin with the deployment of reverse shell tools written in various programming languages, including Go, Rust, C/C#/C++, and Python.”
The attack chain typically begins with a phishing email containing a password-protected archive. The passwords—often simple strings like “min@2025” or “sib@2025″—are included directly in the email body. Once executed, these “polyglot” implants pave the way for more potent open-source post-exploitation frameworks like Havoc and AdaptixC2.
The campaign’s scope is narrow and highly strategic. Researchers observed that “these attacks targeted foreign ministries, intergovernmental organizations, and government entities, demonstrating a focus on high-value political and diplomatic infrastructure.”
Specific tools identified in the campaign include:
- Tomiris Rust Downloader: A reconnaissance tool that scans for specific file types (like .pdf and .docx) and sends file paths to a Discord webhook.
- Tomiris Python FileGrabber: A dedicated stealer that hunts for files in directories, ignoring system folders like “AppData” or “Program Files.”
- Tomiris Python Discord ReverseShell: A backdoor that uses the discord Python package to receive shell commands from the attackers.
The Tomiris group continues to prove its adaptability, shifting tactics to maintain long-term access to sensitive government networks. As the report concludes, “The evolution in tactics underscores the threat actor’s focus on stealth, long-term persistence, and the strategic targeting of government and intergovernmental organizations.”
Related Posts:
- UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
- JPCERT Exposes ‘MalDoc in PDF’: The Stealthy Cyber Threat
- Spies in Plain Sight: How North Korean Hackers Used GitHub to Attack Embassies
- China Targets U.S. Tech Startups through Investments, NCSC Reveals
- German is investigating a cyberattack against federal ministries, Russian group suspected
Donate