Cybersecurity teams around the world are watching the Tomiris threat actor evolve in troubling ways. According to a recent Dark Reading article, Tomiris has unleashed a new wave of attacks that leverage sophisticated techniques and tools to evade detection and maintain persistence in targeted environments. Dark Reading
This latest campaign focuses on government, diplomatic and intergovernmental entities across the Commonwealth of Independent States (CIS) and Central Asia, but the lessons apply to organizations of all types and sizes.
In this blog post we break down what Tomiris is doing, why traditional security approaches are struggling, and how businesses can strengthen their defenses with true isolation and containment — not just detect and respond.
What’s New in Tomiris’ Playbook
The Tomiris group has been active for years, but researchers from Kaspersky have identified two major shifts in their tactics in 2025:
1. Abuse of Legitimate Platforms for Command and Control
Rather than using traditional command and control (C2) infrastructure that can be blocked, Tomiris now routes C2 traffic through widely trusted messaging services like Telegram and Discord. This allows malicious activity to blend in with legitimate network traffic and bypass many traditional security filters.
2. Multi-Language Malware and Open Source Frameworks
Tomiris is deploying implants written in a variety of programming languages, including Go, Rust, C#, Python and others. These implants serve as launch points for well-known open source C2 frameworks such as Havoc and AdaptixC2.
This combination of stealthy communications and flexible malware increases the challenge for defenders who rely on signature-based tools that look for known threats.
The Real Danger: Stealth and Persistence
The Dark Reading coverage highlights that Tomiris’ goals go beyond quick hits. The group aims for stealth, long-term persistence and document theft. They cycle through multiple “burner” malware variants until one successfully evades defenses.
Their infection chain typically starts with a phishing email containing a password-protected archive. The malware inside is disguised as a harmless document, making users more likely to open it. Once executed, the malware gathers system information, harvests files and communicates back to attackers via the trusted platforms mentioned above.
This style of attack highlights a growing trend in cyber threats: attackers are blending malicious activity with legitimate services and hiding in plain sight.
Why Detect and Respond Is Not Enough
For many years, businesses have invested heavily in “detect and respond” technologies. Tools like EDR (Endpoint Detection and Response) and SIEM look for signs of compromise and alert security teams. While these tools have value, they share a core limitation: they assume an attacker will eventually be detected before serious damage occurs.
Tomiris and threat actors like them are showing that this assumption no longer holds true:
Evading Detection:
By using public messaging services for C2 communication, attackers can bypass many detection systems that block or flag traffic to known malicious servers.
Persistent Threats:
Traditional tools often depend on detecting known patterns. But Tomiris’ multi-language approach and use of open source frameworks make detection through signatures and heuristics far less reliable.
Blended Traffic:
When malware communication uses popular services, defenders risk ignoring it as “normal,” even as attackers maintain persistent access.
These tactics make it clear: simply detecting threats and responding is no longer sufficient to protect critical systems. Organizations need to stop threats before they can execute, rather than relying on alerts after the fact.
A Better Approach: Isolation and Containment
What is needed is a fundamentally different model of endpoint protection — one that doesn’t wait for threats to be detected based on signatures or behavioral anomalies. Instead, it actively isolates and contains threats at the endpoint, preventing unauthorized execution and lateral movement in the first place.
Why AppGuard Works
AppGuard is an endpoint protection solution with a proven track record spanning more than ten years in highly demanding environments. It takes a fundamentally different approach:
-
Isolation First: Instead of waiting to detect a threat, AppGuard isolates applications by default, preventing unknown or unauthorized code from executing harmful actions.
-
Containment of Threats: Even if an attacker gains access through phishing or exploit, AppGuard stops execution beyond a strict boundary, preventing escalation, lateral movement and communication back to C2 channels.
-
Proven in the Field: Originally developed for mission-critical government systems, AppGuard’s technology has been battle-tested and is now available for commercial use.
With these capabilities, AppGuard helps organizations stay ahead of threats that evade detection through stealthy techniques like those used by Tomiris.
Take Action Today
The rise of sophisticated threats like Tomiris makes one thing clear: relying on detect and respond technologies alone leaves gaps that attackers will exploit.
If your organization wants to move beyond reactive cybersecurity and adopt a proactive model that includes isolation and containment of threats, we should talk.
Business owners and security leaders: reach out to us at CHIPS to learn how AppGuard can protect your organization from advanced threats, prevent incidents before they happen and significantly reduce risk. Don’t wait for an attack to expose weaknesses in your defenses.
Contact CHIPS today to discuss how AppGuard can strengthen your endpoint security strategy and protect your business in a world where sophisticated attacks are the new normal.
Like this article? Please share it with others!
Comments