{ "name": "New Tomiris tools and techniques: multiple reverse shells, Havoc, AdaptixC2", "slug": "new-tomiris-tools-and-techniques-multiple-reverse-shells-havoc-adaptixc2", "description": "Kaspersky researchers uncovered new malicious operations by the Tomiris threat actor targeting foreign ministries, intergovernmental organizations, and government entities. The attacks, which began in early 2025, show a shift in tactics with increased use of implants leveraging public services like Telegram and Discord as command-and-control servers. The group employs various programming languages including Go, Rust, C/C#/C++, and Python to develop reverse shell tools. Some infections lead to the deployment of open-source post-exploitation frameworks such as Havoc and AdaptixC2. The campaign primarily focuses on Russian-speaking users and entities, with additional targets in Central Asian countries.", "published": "2025-11-28T07:31:24+00:00", "created_at": "2025-11-28T07:31:24+00:00", "modified_at": "2025-12-21T17:14:00+00:00", "created_at_opencti": "2025-11-28T07:31:24+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-11-28", "adaptixc2", "apt", "discord", "distopia backdoor", "government targets", "havoc", "jlorat", "multi-language malware", "reverse shells", "telegram", "tomiris c# reverseshell", "tomiris c# telegram reverseshell", "tomiris c++ reversesocks", "tomiris c/c++ reverseshell", "tomiris go reverseshell", "tomiris go reversesocks", "tomiris powershell telegram backdoor", "tomiris python discord reverseshell", "tomiris python filegrabber", "tomiris python telegram reverseshell", "tomiris rust downloader", "tomiris rust reverseshell" ], "related_entities": { "observables": [ { "id": "", "name": "88.214.25.249" }, { "id": "", "name": "82.115.223.210" }, { "id": "", "name": "64.7.199.193" }, { "id": "", "name": "192.153.57.9" }, { "id": "", "name": "188.127.231.136" }, { "id": "", "name": "78.128.112.209" }, { "id": "", "name": "85.209.128.171" }, { "id": "", "name": "188.127.251.146" }, { "id": "", "name": "188.127.225.191" }, { "id": "", "name": "206.188.196.191" }, { "id": "", "name": "185.173.37.67" }, { "id": "", "name": "188.127.227.226" }, { "id": "", "name": "192.165.32.78" }, { "id": "", "name": "91.219.148.93" }, { "id": "", "name": "94.198.52.200" }, { "id": "", "name": "96.9.124.207" }, { "id": "", "name": "82.115.223.218" }, { "id": "", "name": "82.115.223.78" }, { "id": "", "name": "193.149.129.113" }, { "id": "", "name": "88.214.26.37" }, { "id": "", "name": "192.153.57.189" }, { "id": "", "name": "94.198.52.210" }, { "id": "", "name": "77.232.39.47" }, { "id": "", "name": "77.232.42.107" }, { "id": "", "name": "185.244.180.169" }, { "id": "", "name": "https://sss.qwadx.com/netexit.rar" }, { "id": "", "name": "https://sss.qwadx.com/winsrv.exe" }, { "id": "", "name": "http://62.113.115.89/homepage/infile.php" }, { "id": "", "name": "http://82.115.223.78/private/dwm.exe" }, { "id": "", "name": "http://188.127.251.146:8080/sbchost.rar" }, { "id": "", "name": "http://82.115.223.78/private/svchost.exe" }, { "id": "", "name": "http://192.153.57.9/private/svchost.exe" }, { "id": "", "name": "http://195.2.79.245/winload.rar" }, { "id": "", "name": "https://docsino.ru/wp-content/private/winupdate.exe" }, { "id": "", "name": "http://195.2.79.245/winupdate.exe" }, { "id": "", "name": "http://195.2.79.245/service.exe" }, { "id": "", "name": "http://195.2.79.245/winload.exe" }, { "id": "", "name": "https://sss.qwadx.com/winload.exe" }, { "id": "", "name": "http://82.115.223.78/private/spoolsvc.exe" }, { "id": "", "name": "http://195.2.79.245/firefox.exe" }, { "id": "", "name": "http://188.127.251.146:8080/sxbchost.exe" }, { "id": "", "name": "http://82.115.223.78/private/sysmgmt.exe" }, { "id": "", "name": "https://sss.qwadx.com/AkelPad.exe" }, { "id": "", "name": "https://docsino.ru/wp-content/private/alone.exe" }, { "id": "", "name": "http://89.110.98.234/winload.exe" }, { "id": "", "name": "http://88.214.25.249:443/netexit.rar" }, { "id": "", "name": "http://82.115.223.78/private/msview.exe" }, { "id": "", "name": "http://89.110.98.234/winload.rar" }, { "id": "", "name": "http://85.209.128.171:8000/AkelPad.rar" }, { "id": "", "name": "https://sss.qwadx.com/12345.exe" }, { "id": "", "name": "148a42ccaa97c2e2352dbb207f07932141d5290d4c3b57f61a780f9168783eda" }, { "id": "", "name": "e46a04b9950a29e8638d5ff6508db94bf2811d613995a964cb5953922b02b0ac" }, { "id": "", "name": "4420148744799563bd559cd6bd42ac10ffe0cc2895c0f5366288272d3b947eec" }, { "id": "", "name": "ec80e96e3d15a215d59d1095134e7131114f669ebc406c6ea1a709003d3f6f17" }, { "id": "", "name": "ab0ad77a341b12cfc719d10e0fc45a6613f41b2b3f6ea963ee6572cf02b41f4d" }, { "id": "", "name": "be519d0acca77865ed569f16774e7ecb096a5a6ed0b6fe70ab5d5b438964cc11" }, { "id": "", "name": "8e7fb9f6acfb9b08fb424ff5772c46011a92d80191e7736010380443a46e695c" }, { "id": "", "name": "b4add80567c915eadffd00f022ca738a7eb4552aedad9da8ea658f04ca693bfc" }, { "id": "", "name": "4f17a7f8d2cec5c2206c3cba92967b4b499f0d223748d3b34f9ec4981461d288" }, { "id": "", "name": "d59577c808e5fc0c67cfaf17fb64cd92c2ed4cb3b6c6bd7110836c8b4b856170" }, { "id": "", "name": "7084f06f2d8613dfe418b242c43060ae578e7166ce5aeed2904a8327cd98dbdf" }, { "id": "", "name": "cc84bfdb6e996b67d8bc812cf08674e8eca6906b53c98df195ed99ac5ec14a06" }, { "id": "", "name": "ae562641ccd56f6735cb93eb4c6beba1f40921281a103f2c9e7f339bdabd0e20" }, { "id": "", "name": "57bba9dc05df51765b83559e9df7798c389a9c23f13f15a22077c242b8d6f558" }, { "id": "", "name": "22ba8c24f1aefc864490f70f503f709d2d980b9bc18fece4187152a1d9ca5fab" }, { "id": "", "name": "6b290953441b1c53f63f98863aae75bd8ea32996ab07976e498bad111d535252" } ], "malware": [ { "id": "fa3eb00d-29bd-4170-8381-0447aa27f966", "name": "Tomiris C# ReverseShell", "slug": "tomiris-c-reverseshell" }, { "id": "legacy:malware:f889d6a7a7746b76", "name": "AdaptixC2", "slug": "adaptixc2" }, { "id": "legacy:malware:3af147adbeb5a50d", "name": "Tomiris Rust Downloader", "slug": "tomiris-rust-downloader" }, { "id": "legacy:malware:d2a0a4da7893e5b4", "name": "Havoc", "slug": "havoc" }, { "id": "legacy:malware:0528b4895557446e", "name": "Tomiris Go ReverseSocks", "slug": "tomiris-go-reversesocks" }, { "id": "legacy:malware:9b940389e88df8a5", "name": "Tomiris C++ ReverseSocks", "slug": "tomiris-c-reversesocks" }, { "id": "legacy:malware:e104b78b37c8cccc", "name": "Tomiris C/C++ ReverseShell", "slug": "tomiris-cc-reverseshell" }, { "id": "legacy:malware:769ae1d33cad0cf8", "name": "Distopia backdoor", "slug": "distopia-backdoor" }, { "id": "legacy:malware:b0a8206ecae0fc18", "name": "Tomiris Rust ReverseShell", "slug": "tomiris-rust-reverseshell" }, { "id": "legacy:malware:512a79b6f8c521e8", "name": "Tomiris Python FileGrabber", "slug": "tomiris-python-filegrabber" }, { "id": "legacy:malware:647978849512948c", "name": "Tomiris PowerShell Telegram Backdoor", "slug": "tomiris-powershell-telegram-backdoor" }, { "id": "legacy:malware:ed352ce8cd0b5829", "name": "Tomiris Go ReverseShell", "slug": "tomiris-go-reverseshell" }, { "id": "legacy:malware:20fc0cfe3447c5fb", "name": "Tomiris Python Telegram ReverseShell", "slug": "tomiris-python-telegram-reverseshell" }, { "id": "legacy:malware:8f0d5452785cb63f", "name": "Tomiris Python Discord ReverseShell", "slug": "tomiris-python-discord-reverseshell" }, { "id": "legacy:malware:bf3aef31d7d27459", "name": "JLORAT", "slug": "jlorat" }, { "id": "legacy:malware:08eedc4e2f673e1d", "name": "Tomiris C# Telegram ReverseShell", "slug": "tomiris-c-telegram-reverseshell" } ], "intrusion_sets": [ { "id": "f2c9eb13-d488-4fb0-8dd1-95d52017f284", "name": "Tomiris", "slug": "tomiris" } ], "attack_patterns": [ { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "6aa7866f-9c1f-4159-938a-10a6adf41646", "name": "T1553" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "a2ba5594-6293-4868-928c-ab4b31927a02", "name": "T1572" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "88fa397b-4cc9-42c0-b52d-4108f9630529", "name": "T1095" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" } ], "others": [ { "id": "", "name": "Tajikistan" }, { "id": "", "name": "Uzbekistan" }, { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Turkmenistan" }, { "id": "", "name": "Kyrgyzstan" }, { "id": "", "name": "Government and administrations" } ] }, "external_refs": [ "https://securelist.com/tomiris-new-tools/118143/", "https://otx.alienvault.com/pulse/69295ddc667844c92d7554d0" ] }