The notorious Tomiris hacker group has resurfaced with a sophisticated and alarming campaign targeting foreign ministries and government entities worldwide. Beginning in early 2025, this advanced persistent threat (APT) actor appears to have shifted its operational strategy, focusing its advanced capabilities on high-value diplomatic infrastructure. By leveraging a diverse array of programming languages, including Go, Rust, C/C++, and Python, the group has significantly enhanced its ability to bypass traditional security measures while striving to maintain a low profile within compromised networks.
These cyber assaults typically initiate with precision spear-phishing emails that contain password-protected archives. The attackers frequently disguise malicious executables with double extensions or mislead victims by using familiar office document icons, ensuring that the initial infection vector remains obscured from standard security protocols. The passwords for these archives, while often following a predictable pattern such as “min@2025,” have proven effective in bypassing automated email scanners, a testament to the group’s nuanced approach to initial access.
The Evolving Tactics of the Tomiris Hacker Group
Once a payload is executed, a chain of events is initiated, designed to establish persistence within the victim’s network and deploy further malicious tools and backdoors. Securelist security analysts have noted that Tomiris has increasingly adopted public services such as Telegram and Discord for its command-and-control (C2) communications. This tactical evolution allows malicious traffic to blend more seamlessly with legitimate network activity, thereby complicating detection efforts and confounding the strategies employed by security teams.
Furthermore, the group has begun deploying open-source post-exploitation frameworks, including Havoc and AdaptixC2. This signifies a strategic move towards more modular and resilient attack chains, making it more challenging for defenders to understand and disrupt their operations. This blend of custom implants, developed with diverse programming languages, and off-the-shelf open-source tools significantly exacerbates the challenges associated with attribution and mitigation for cybersecurity professionals.
The Rust Downloader Mechanism in Detail
A particularly noteworthy component of this evolving campaign is the previously undocumented Tomiris Rust Downloader. Unlike typical data exfiltration tools that immediately seek to steal information, this implant performs targeted reconnaissance. It meticulously scans specific drives for sensitive file types, including common document formats such as .pdf, .docx, and .xlsx. However, the downloader does not immediately exfiltrate these files.
Instead, it compiles a comprehensive list of file paths and transmits this aggregated data to a Discord webhook using a multipart POST request. The malware employs a structured approach by utilizing a “payload_json” field for system information and a “file” field specifically for the list of identified file paths, ensuring organized data exfiltration. This method allows for detailed mapping of potentially valuable targets within the compromised environment.
The malware is specifically programmed to avoid detection by ignoring certain directories, including the standard “Program Files,” “Windows,” and “AppData” folders, thus reducing its digital footprint within the operating system. Upon successfully sending the collected file list to the designated webhook, the downloader creates a Visual Basic script (script.vbs). This script, in turn, executes a PowerShell script (script.ps1).
This PowerShell script contains a loop that continuously attempts to retrieve a secondary payload, often a ZIP archive containing further executables, every minute. This meticulous approach to reconnaissance and staged delivery highlights the group’s intent to remain undetected while systematically identifying high-value data for future exfiltration and exploitation. The ongoing use of publicly accessible platforms for C2 and the adoption of modular tools suggest a long-term strategy aimed at sustained adversaries of governmental organizations.
The implications of these advanced techniques are significant for national security, as the compromised entities are crucial for diplomatic relations and international policy. The observed shift towards more sophisticated and evasive methods indicates that the Tomiris group, and APT actors like them, will continue to pose a persistent threat. Organizations in the public sector, particularly those involved in foreign affairs, should intensify their cybersecurity measures, focusing on enhanced endpoint detection and response, robust phishing awareness training augmented with technical controls, and meticulous monitoring of network traffic for anomalous C2 communications, especially those utilizing public messaging platforms.