I’m thrilled to sit down with Malik Haidar, a seasoned cybersecurity expert who has spent years on the front lines defending multinational corporations against sophisticated cyber threats. With a sharp focus on analytics, intelligence, and security, Malik brings a unique perspective by blending business strategy with technical expertise. Today, we’re diving into the evolving tactics of the threat actor Tomiris, exploring their innovative use of public platforms for covert operations, their targeted campaigns against government entities, and the complex malware arsenal they deploy for stealth and persistence. This conversation unpacks how these strategies challenge defenders and what it means for the future of cybersecurity.
How have threat actors like Tomiris adapted their command-and-control infrastructure in recent years, particularly with the shift to public services like Telegram and Discord?
Public services like Telegram and Discord offer a cloak of legitimacy that threat actors like Tomiris exploit to blend their malicious traffic with everyday user activity. This tactic makes it incredibly hard for security tools to flag their communications as suspicious since these platforms are widely used and trusted. I’ve seen firsthand how this frustrates traditional detection methods—imagine sifting through a haystack of legitimate messages to find a single malicious needle. Compared to older, dedicated C2 servers, this approach often delays detection by weeks or even months because analysts hesitate to block popular services without concrete evidence. It’s a clever, if sinister, pivot that forces us to rethink how we monitor network traffic.
What do you make of Tomiris’s heavy focus on Russian-speaking users and regionally tailored content for places like Turkmenistan or Uzbekistan?
Tomiris’s strategy of targeting over 50% of their spear-phishing emails at Russian-speaking users with localized content shows a deep understanding of cultural and linguistic nuances, which makes their attacks more convincing. They’re not just blasting generic phishing emails; they craft messages that resonate with specific communities, using national languages and context that lowers the guard of their targets. I recall analyzing a campaign aimed at a Central Asian diplomatic entity where the email mimicked an urgent local government notice—down to the formatting and formal tone. This precision suggests they have either insider knowledge or extensive reconnaissance capabilities, and it’s why their success rate in gaining initial access is alarmingly high. It’s a reminder that social engineering is often more about psychology than technology.
Can you walk us through how Tomiris combines tools like reverse shells and custom implants such as AdaptixC2 and Havoc in their attack chains?
Tomiris’s attack chains are like a well-orchestrated symphony of malice, with each tool playing a distinct role. Typically, it starts with a spear-phishing email delivering a password-protected RAR file that, once opened, drops a reverse shell written in languages like C++ or Python. This shell gathers system info, contacts a C2 server—often hosted on Discord or Telegram—and pulls down heavier implants like AdaptixC2 or Havoc for post-exploitation. I’ve traced cases where the reverse shell modified Windows Registry keys to ensure persistence, while the implant then escalated privileges or exfiltrated data. The challenge for defenders is the layered nature of these attacks—each stage is modular, so blocking one piece doesn’t necessarily stop the others. It’s like trying to plug a leak in a dam while new cracks keep forming.
Tomiris shares similarities with malware like SUNSHUTTLE and Kazuar, often linked to Russian APT groups. How does this shape your view of their identity as a distinct threat actor?
The overlaps with SUNSHUTTLE and Kazuar are striking—shared code patterns, similar espionage goals, and targeting profiles hint at a possible connection to Russian APT ecosystems. Yet, I see Tomiris as distinct because their focus on Central Asian intelligence gathering and operational style feels more localized, almost surgical. I remember a case where we traced a Tomiris backdoor to infrastructure that mirrored Turla’s tactics, but the payload’s customization suggested a different team with unique priorities. These similarities might indicate shared tools or even collaboration, but their strategic divergence—especially the emphasis on regional government targets—sets them apart. It’s a puzzle that keeps us up at night, piecing together whether they’re a splinter group or just borrowing from a common playbook.
What’s the significance of Tomiris using a variety of programming languages like Rust, Python, and Go in their malware development?
Using multiple languages—Rust for stealthy downloaders, Python for flexible reverse shells, Go for lightweight proxies—gives Tomiris incredible operational agility and helps them evade signature-based detection. Each language has strengths: Rust’s compiled nature makes reverse-engineering a slog, while Python’s ubiquity lets their scripts blend into normal system activity. I’ve dissected a Rust-based JLORAT module that could take screenshots and run commands, and its obfuscation was a nightmare to unpack, taking my team days longer than a typical Python script. This multi-language approach means they can adapt quickly, swapping components if one gets flagged by antivirus tools. It’s a testament to their sophistication and a headache for defenders trying to keep up.
How does Tomiris’s use of password-protected RAR files in phishing emails complicate things for security teams?
Password-protected RAR files are a sneaky trick because they bypass many initial email scans—most gateways can’t decrypt them to inspect the contents without the password, which Tomiris conveniently includes in the email text. Once a user opens the archive, it often drops an executable disguised as a Word document, triggering a reverse shell or downloader. I recall a case where a government agency employee unwittingly unleashed this payload, and by the time we got involved, data was already being siphoned through a Discord webhook. The real challenge is educating users not to trust such files, even with a provided password, because by the time endpoint detection kicks in, the damage is often done. It’s a frustrating cat-and-mouse game where human curiosity is the weakest link.
What challenges arise from Tomiris using platforms like Discord and Telegram for C2 communications when it comes to tracking or disrupting their operations?
Tracking Tomiris on platforms like Discord and Telegram is like chasing a ghost in a crowded city—the sheer volume of legitimate activity masks their moves. These services use encrypted channels, so even if you identify a suspicious server, you can’t easily intercept the commands or payloads without platform cooperation, which is often slow or nonexistent. I’ve been on investigations where we pinpointed a Discord webhook used for exfiltration, only to watch it vanish and reappear under a new account within hours. The technical hurdle is building tools to correlate malicious patterns without violating user privacy, and the operational hurdle is the speed at which they pivot. It pushes us to lean on behavioral analysis rather than just IP blacklists, but it’s an uphill battle.
Given Tomiris’s focus on high-value government and diplomatic targets in Central Asia, what makes their intelligence-gathering approach unique?
Tomiris stands out for their laser focus on political and diplomatic infrastructure in Central Asia, prioritizing strategic intelligence over broad financial gain. Their attacks often aim for long-term access, using tailored phishing lures that mimic official communications to infiltrate foreign ministries or intergovernmental bodies. I remember dissecting an attack on a regional embassy where their payload sat dormant for weeks, only activating to harvest specific policy documents during a key negotiation period. Their patience and regional expertise—down to using local languages and context—suggest they’re after geopolitical leverage, not just data for sale. It’s a calculated approach that makes them especially dangerous to state actors.
Tomiris deploys multiple reverse shells and backdoors like JLORAT and Distopia. Can you explain how these tools vary in their roles during an attack?
Each tool in Tomiris’s arsenal has a specialized purpose, almost like a toolkit for different stages of compromise. JLORAT, written in Rust, excels at reconnaissance—capturing screenshots and running commands to map a network while staying under the radar. Distopia, a Python-based backdoor using Discord for C2, focuses on command execution and fetching additional payloads, acting as a bridge to heavier implants. I’ve seen cases where JLORAT was the initial foothold, quietly gathering intel, while Distopia came in later to download file-grabbing scripts targeting specific document types like PDFs and DOCXs. The diversity ensures redundancy—if one gets blocked, another can take over. It’s a modular strategy that keeps defenders guessing.
Looking at Tomiris’s 2025 campaign, how are they achieving such stealth and long-term persistence in their operations?
In their 2025 campaign, Tomiris has doubled down on stealth by using multi-language malware modules and subtle persistence mechanisms like Windows Registry tweaks to embed payloads deep within systems. Their infection often starts with a lightweight reverse shell that downloads heavier implants only when needed, minimizing early detection. They also leverage public platforms for C2 to avoid standing out in network logs. I’ve tracked instances where their tools remained undetected for months, quietly exfiltrating data during low-traffic hours—once, a government server was compromised for nearly a quarter before an unrelated audit caught it. Their innovation lies in pacing their activity, blending into normal operations, and using modular designs to swap out components if one is flagged. It’s a slow-burn approach that’s maddeningly effective.
What’s your forecast for the evolution of threat actors like Tomiris in the coming years?
I see threat actors like Tomiris becoming even more integrated with everyday technologies, exploiting not just public platforms but also emerging tools like decentralized networks or IoT devices for C2 communications. Their focus on regional geopolitics might sharpen, potentially targeting infrastructure tied to international alliances or trade routes in Central Asia. We’re likely to see more multi-language, modular malware that’s harder to pin down, coupled with AI-driven social engineering to craft hyper-personalized phishing lures. My concern is the growing gap between their adaptability and the resources defenders have—governments and organizations will need to invest heavily in proactive threat hunting and cross-border collaboration to keep pace. The stakes couldn’t be higher as these threats evolve in both stealth and ambition.
