Russian-language hacker group Tomiris, which was first identified by Kaspersky Labs in September 2021, is currently focused on collecting intelligence in Central Asia, according to a new report from the lab’s researchers Pierre Delcher and Ivan Kvyatkovsky. The researchers claim that Tomiris is using phishing attacks to target government and diplomatic structures in the CIS countries to steal internal documents. The attacks use a set of Polyglot tools, including “one-time” implants encoded in different programming languages.
In addition to freely distributed or commercial tools like Ratel and Warzone Rat, Tomiris uses its user arsenal of malicious programs, including downloaders, backdoors and information abductors, such as Telemiris on Python and Roopy and jlorath, which are designed for theft of Pascal-based files and written on Rust, respectively.
The investigation conducted by Kaspersky Labs has revealed similarities between Tomiris and the Turla cluster, monitored by Mandiant under the UNC4210 identifier. Despite these potential ties, the researchers argue that Tomiris is distinct from Turla due to differences in their purposes and methods. However, they also acknowledge the possibility of cooperation between the two groups in individual operations or reliance on common software suppliers.
“In general, Tomiris is a very mobile and decisive player open to experiments,” the researchers of the Kaspersky laboratory explained, adding that there is definitely a form of deliberate cooperation between Tomiris and Turla.