New Tomiris tools and techniques: multiple reverse shells, Havoc…

216.73.217.22

New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2

· Published 28/11/2025 08:31 · Modified 21/12/2025 18:14

Essential information

Published: 28/11/2025 08:31
Modified: 21/12/2025 18:14
Tags: 2025-11-28 adaptixc2 apt discord distopia backdoor government targets havoc jlorat multi-language malware reverse shells telegram tomiris c# reverseshell tomiris c# telegram reverseshell tomiris c++ reversesocks tomiris c/c++ reverseshell tomiris go reverseshell tomiris go reversesocks tomiris powershell telegram backdoor tomiris python discord reverseshell tomiris python filegrabber tomiris python telegram reverseshell tomiris rust downloader tomiris rust reverseshell
Related entities: 66 observables, 1 intrusion sets (apt), 17 techniques (mitre), 16 malware, 6 others

Description

Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.

Related entities

88.214.25.249
82.115.223.210
64.7.199.193
192.153.57.9
188.127.231.136
78.128.112.209
85.209.128.171
188.127.251.146
188.127.225.191
206.188.196.191
185.173.37.67
188.127.227.226
192.165.32.78
91.219.148.93
94.198.52.200
96.9.124.207
82.115.223.218
82.115.223.78
193.149.129.113
88.214.26.37
192.153.57.189
94.198.52.210
77.232.39.47
77.232.42.107
185.244.180.169
https://sss.qwadx.com/netexit.rar
https://sss.qwadx.com/winsrv.exe
http://62.113.115.89/homepage/infile.php
http://82.115.223.78/private/dwm.exe
http://188.127.251.146:8080/sbchost.rar
http://82.115.223.78/private/svchost.exe
http://192.153.57.9/private/svchost.exe
http://195.2.79.245/winload.rar
https://docsino.ru/wp-content/private/winupdate.exe
http://195.2.79.245/winupdate.exe
http://195.2.79.245/service.exe
http://195.2.79.245/winload.exe
https://sss.qwadx.com/winload.exe
http://82.115.223.78/private/spoolsvc.exe
http://195.2.79.245/firefox.exe
http://188.127.251.146:8080/sxbchost.exe
http://82.115.223.78/private/sysmgmt.exe
https://sss.qwadx.com/AkelPad.exe
https://docsino.ru/wp-content/private/alone.exe
http://89.110.98.234/winload.exe
http://88.214.25.249:443/netexit.rar
http://82.115.223.78/private/msview.exe
http://89.110.98.234/winload.rar
http://85.209.128.171:8000/AkelPad.rar
https://sss.qwadx.com/12345.exe
148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda
e46a04b9950a29e8638d5ff6508db94bf2811d613995a964cb5953922b02b0ac
4420148744799563bd559cd6bd42ac10ffe0cc2895c0f5366288272d3b947eec
ec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17
ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d
be519d0acca77865ed569f16774e7ecb096a5a6ed0b6fe70ab5d5b438964cc11
8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c
b4add80567c915eadffd00f022ca738a7eb4552aedad9da8ea658f04ca693bfc
4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288
d59577c808e5fc0c67cfaf17fb64cd92c2ed4cb3b6c6bd7110836c8b4b856170
7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf
cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06
ae562641ccd56f6735cb93eb4c6beba1f40921281a103f2c9e7f339bdabd0e20
57bba9dc05df51765b83559e9df7798c389a9c23f13f15a22077c242b8d6f558
22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab
6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252