TZUTC: -0500   
   MSGID: 1772.consprcy@1:2320/105 2d95901f   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Russian speaking hacking group now shifting focus to government targets   
      
   Date:   
   Tue, 02 Dec 2025 18:29:00 +0000   
      
   Description:   
   The focus is now on stealth, long-term persistence, and cyber-espionage   
   against government and similar organizations.   
      
   FULL STORY   
      
   Tomiris, a Russian-speaking APT hacking group, has narrowed down its attack   
   focus to target government ministries, intergovernmental organizations, and   
   politically significant institutions.    
      
   This is according to a new report from cybersecurity researchers Kaspersky,   
   which claims that from early 2025, there has been a wave of intrusions in   
   which Tomiris deployed a large arsenal of multi-language implants.    
      
   The tools, written in Go, Rust, Python, and PowerShell (among others), were   
   designed for flexibility, obfuscation, as well as to make attribution more   
   difficult.    
      
   Targeting Russian and Central Asian victims   
      
   Tomiris is now hiding its command-and-control (C2) infrastructure in public   
   services such as Telegram, or Discord, it was said, which helps it hide   
   malicious traffic inside normal, encrypted messaging flows.    
      
   Several reverse shells such as the Tomiris Python, Discord ReverseShell, or   
   the Tomiris Python Telegram ReverseShell, rely completely on these platforms   
   for both receiving commands and exfiltrating stolen data.    
      
   Initial access is usually achieved via phishing, using rules written in   
   Russian. Once the stage-one malware is deployed, the attackers would lurk,    
   run system commands, and deploy stage-two malware. Kaspersky also said that   
   frameworks such as Havoc and AdaptixC2 appear in later phases, and are used   
   for persistence, lateral movement, and device takeover.    
      
   More than half of Tomiriss phishing lures target Russian-speaking individuals   
   or institutions, it was said. The rest are located in Central Asian nations   
   such as Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan. Kaspersky also   
   stresses that this is not opportunistic crime, but rather a campaign centered   
   on state-level intelligence collection.    
      
   The evolution in tactics underscores the threat actors focus on stealth,   
   long-term persistence, and the strategic targeting of government and   
   intergovernmental organizations, Kaspersky concludes. The use of public   
   services for C2 communications and multi-language implants highlights the    
   need for advanced detection strategies, such as behavioral analysis and   
   network traffic inspection, to effectively identify and mitigate such    
   threats.    
      
    Via The Hacker News    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/russian-speaking-hacking-group-now-shif   
   ting-focus-to-government-targets   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426