New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2
Nov. 28, 2025, 9:37 a.m.
Description
Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.
Tags
Date
- Created: Nov. 28, 2025, 8:31 a.m.
- Published: Nov. 28, 2025, 8:31 a.m.
- Modified: Nov. 28, 2025, 9:37 a.m.
Indicators
- ec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17
- e46a04b9950a29e8638d5ff6508db94bf2811d613995a964cb5953922b02b0ac
- be519d0acca77865ed569f16774e7ecb096a5a6ed0b6fe70ab5d5b438964cc11
- b4add80567c915eadffd00f022ca738a7eb4552aedad9da8ea658f04ca693bfc
- ae562641ccd56f6735cb93eb4c6beba1f40921281a103f2c9e7f339bdabd0e20
- 8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c
- 57bba9dc05df51765b83559e9df7798c389a9c23f13f15a22077c242b8d6f558
- 4420148744799563bd559cd6bd42ac10ffe0cc2895c0f5366288272d3b947eec
- d59577c808e5fc0c67cfaf17fb64cd92c2ed4cb3b6c6bd7110836c8b4b856170
- cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06
- ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d
- 7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf
- 6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252
- 4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288
- 22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab
- 148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda
- 96.9.124.207
- 94.198.52.200
- 88.214.25.249
- 91.219.148.93
- 82.115.223.78
- 85.209.128.171
- 82.115.223.218
- 82.115.223.210
- 77.232.39.47
- 64.7.199.193
- 206.188.196.191
- 193.149.129.113
- 192.165.32.78
- 192.153.57.9
- 192.153.57.189
- 188.127.251.146
- 188.127.225.191
- 185.244.180.169
- 188.127.227.226
- 78.128.112.209
- 77.232.42.107
- 185.173.37.67
- 94.198.52.210
- 188.127.231.136
- 88.214.26.37
- https://sss.qwadx.com/winsrv.exe
- https://sss.qwadx.com/winload.exe
- https://sss.qwadx.com/netexit.rar
- https://docsino.ru/wp-content/private/winupdate.exe
- https://sss.qwadx.com/AkelPad.exe
- https://sss.qwadx.com/12345.exe
- http://89.110.98.234/winload.exe
- https://docsino.ru/wp-content/private/alone.exe
- http://89.110.98.234/winload.rar
- http://85.209.128.171:8000/AkelPad.rar
- http://82.115.223.78/private/sysmgmt.exe
- http://88.214.25.249:443/netexit.rar
- http://82.115.223.78/private/spoolsvc.exe
- http://82.115.223.78/private/svchost.exe
- http://82.115.223.78/private/msview.exe
- http://82.115.223.78/private/dwm.exe
- http://62.113.115.89/homepage/infile.php
- http://195.2.79.245/winupdate.exe
- http://195.2.79.245/winload.rar
- http://195.2.79.245/winload.exe
- http://195.2.79.245/service.exe
- http://195.2.79.245/firefox.exe
- http://192.153.57.9/private/svchost.exe
- http://188.127.251.146:8080/sxbchost.exe
- http://188.127.251.146:8080/sbchost.rar
Attack Patterns
- Tomiris Go ReverseSocks
- Tomiris C++ ReverseSocks
- Tomiris C# ReverseShell
- Tomiris PowerShell Telegram Backdoor
- Tomiris Go ReverseShell
- Tomiris Rust ReverseShell
- Tomiris C# Telegram ReverseShell
- Tomiris Python Telegram ReverseShell
- Distopia backdoor
- Tomiris Python FileGrabber
- Tomiris Python Discord ReverseShell
- Tomiris Rust Downloader
- Tomiris C/C++ ReverseShell
- AdaptixC2
- JLORAT
- Havoc
- Tomiris
Additional Informations
- Government
- Turkmenistan
- Kyrgyzstan
- Tajikistan
- Uzbekistan
- Russian Federation