TZUTC: -0500
MSGID: 1772.consprcy@1:2320/105 2d95901f
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Russian speaking hacking group now shifting focus to government targets

Date:
Tue, 02 Dec 2025 18:29:00 +0000

Description:
The focus is now on stealth, long-term persistence, and cyber-espionage
against government and similar organizations.

FULL STORY

Tomiris, a Russian-speaking APT hacking group, has narrowed down its attack
focus to target government ministries, intergovernmental organizations, and
politically significant institutions. 

This is according to a new report from cybersecurity researchers Kaspersky,
which claims that from early 2025, there has been a wave of intrusions in
which Tomiris deployed a large arsenal of multi-language implants. 

The tools, written in Go, Rust, Python, and PowerShell (among others), were
designed for flexibility, obfuscation, as well as to make attribution more
difficult. 

Targeting Russian and Central Asian victims

Tomiris is now hiding its command-and-control (C2) infrastructure in public
services such as Telegram, or Discord, it was said, which helps it hide
malicious traffic inside normal, encrypted messaging flows. 

Several reverse shells such as the Tomiris Python, Discord ReverseShell, or
the Tomiris Python Telegram ReverseShell, rely completely on these platforms
for both receiving commands and exfiltrating stolen data. 

Initial access is usually achieved via phishing, using rules written in
Russian. Once the stage-one malware is deployed, the attackers would lurk, 
run system commands, and deploy stage-two malware. Kaspersky also said that
frameworks such as Havoc and AdaptixC2 appear in later phases, and are used
for persistence, lateral movement, and device takeover. 

More than half of Tomiriss phishing lures target Russian-speaking individuals
or institutions, it was said. The rest are located in Central Asian nations
such as Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan. Kaspersky also
stresses that this is not opportunistic crime, but rather a campaign centered
on state-level intelligence collection. 

The evolution in tactics underscores the threat actors focus on stealth,
long-term persistence, and the strategic targeting of government and
intergovernmental organizations, Kaspersky concludes. The use of public
services for C2 communications and multi-language implants highlights the 
need for advanced detection strategies, such as behavioral analysis and
network traffic inspection, to effectively identify and mitigate such 
threats. 

 Via The Hacker News 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/russian-speaking-hacking-group-now-shif
ting-focus-to-government-targets

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426