Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets

The Tomiris threat actor has been conducting attacks against foreign ministries, intergovernmental organizations, and government entities in Russia. The campaign demonstrates a tactical shift toward using implants that leverage public services like Telegram and Discord for command and control communications. This approach allows for stealthier operations by blending malicious traffic with legitimate service communications. The attacks aim to establish remote access and deploy additional tools on compromised systems. The use of public platforms represents an evolution in the group's operational security practices.