Cyber‑espionage isn’t a thing of the past; it’s evolving, and the latest chapter involves a group known as Tomiris making headlines by blending malicious code with everyday messaging platforms. Their newest wave of attacks focuses on foreign ministries, intergovernmental bodies, and other government agencies across the globe, especially in Russia and the Central Asian republics of Turkmenistan, Kyrgyzstan, Tajikistan, and Uzbekistan.

Why Telegram and Discord Matter in the Attack Chain

Traditionally, threat actors keep their command‑and‑control (C2) servers on private, hard‑to‑find domains. Tomiris, however, has taken a different route: they route every instruction through popular, legitimate services such as Telegram and Discord. By doing so, they hide malicious traffic within the normal flow of billions of legitimate messages, making it harder for security tools to flag suspicious activity. It’s a clever subterfuge that turns the very infrastructure these platforms provide into a cloak for their operations.

The New Arsenal Unveiled by Kaspersky

Early 2025 saw Tomiris roll out a suite of upgraded tools designed to exfiltrate sensitive political data while slipping under the radar of conventional defenses. According to a fresh Kaspersky report, the group now employs a blend of custom implants written in C++, Rust, Go, and Python—languages chosen for their speed, portability, and relative obscurity in the threat landscape. This diversity means defenders can’t rely on a single signature or mitigation strategy.

How the Attack Begins: A Phishing Prelude

Every campaign starts with a carefully crafted phishing email that looks like it could come from a trusted government source—often referencing economic development or regional cooperation. The email contains a password‑protected ZIP or RAR archive. The password is usually included in the message body, something innocuous like “min@2025.” Because the archive is locked, automated scanners often cannot open it to check for malware, giving the attacker a small window of opportunity.

Inside the Archive: The Implant Takes Hold

Once the victim opens the attachment and clicks inside, the malicious payload is unleashed. The file contains an executable—sometimes a Rust downloader, sometimes a Python script, sometimes a Go binary—all designed to run silently in the background. These implants perform a variety of functions, from establishing a reverse shell to cataloguing files for later exfiltration.

Tomiris’s Toolkit: From File Scanners to Full‑Blown C2 Frameworks

After the initial breach, Tomiris deploys several specialized tools that work in concert:

• Tomiris Rust Downloader scans the host for PDFs, Word documents, and other sensitive files, then reports the list to a Discord channel under the attackers’ control.
• Python and Telegram Backdoors create a reverse shell that lets the operator issue commands from their own device, with the communication happening over a Telegram bot. This makes the connection look like normal bot traffic.
• FileGrabbers siphon documents from the victim’s machine and upload them to the attackers’ servers.

In many cases, once the initial implant is in place, Tomiris will pull down more powerful open‑source frameworks such as Havoc and AdaptixC2. These tools give the attackers full control over the compromised system, turning a stolen machine into a remote puppet.

Targeting by Language and Geography

More than half of the phishing emails are crafted in Russian, indicating a clear focus on the Commonwealth of Independent States. Yet the toolset’s sophistication and the use of globally popular messaging apps suggest a threat that could extend far beyond that region, potentially infiltrating diplomatic channels worldwide.

What Governments and Agencies Should Do Now

First and foremost, stay alert to unsolicited emails that require a password to open an attachment. If you receive one, verify its authenticity before opening it. Secondly, monitor internal network traffic for unusual connections to Discord or Telegram. A spike in outbound traffic to these services from critical systems could be a red flag. Finally, ensure your endpoint protection is up to date and configured to detect encrypted archives, especially those that bypass standard scanning due to password protection.

Looking Ahead: The Future of State‑Sponsored Espionage

Tomiris’s shift to mainstream communication platforms signals a broader trend: threat actors will continue to exploit legitimate services to mask their operations. As organizations become more reliant on cloud‑based collaboration tools, the line between normal and malicious traffic will blur further. Cybersecurity teams must adapt by incorporating behavioral analytics that can spot anomalies in messaging patterns, not just file signatures. In a world where a single malicious file can grant an adversary a foothold into a nation’s diplomatic networks, vigilance and adaptive defense strategies will be key to staying ahead of the next wave of cyber‑espionage attacks.