ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Tomiris

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Tomiris

NamesTomiris (Kaspersky)
MotivationInformation theft and espionage
First seen2020
Description(Kaspersky) Tomiris focuses on intelligence gathering in Central Asia. Tomiris’s endgame consistently appears to be the regular theft of internal documents.

The threat actor targets government and diplomatic entities in the CIS. The occasional victims discovered in other regions (such as the Middle East or South-East Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.

It is characterized by its tendency to develop numerous low-sophistication “burner” implants in a variety of programming languages that are repeatedly deployed against the same targets, using elementary but efficient packaging and distribution techniques. Tomiris occasionally leverages commercial or open-source RATs.
Language artifacts discovered in Tomiris’s implant families and infrastructure from distinct campaigns all indicate that the threat actor is Russian-speaking.

Overall, Tomiris is a very agile and determined actor, open to experimentation – for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram).

Kaspersky also asserts that there exists a form of deliberate cooperation between Tomiris and Turla, Waterbug, Venomous Bear.
ObservedSectors: Government.
Countries: Commonwealth of Independent States (CIS).
Tools usedJLOGRAB, JLORAT, KopiLuwak, Meterpreter, RATel, RocketMan, Roopy, Telemiris, Tomiris, Topinambour, Tunnus, Warzone RAT.

Last change to this card: 26 April 2023

Download this actor card in PDF or JSON format

Previous: ToddyCat
Next: Tonto Team, HartBeat, Karma Panda

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]