Tomiris: C2 Over Discord & Telegram? Seriously?

Introduction: Another day, another state-sponsored hack. This time, it's Tomiris, and they've apparently decided that old-school command and control is just too much work. Why build sophisticated infrastructure when you can just piggyback on Telegram? Lazy, but effective, I guess.

Key Tactics (Fact-Checked)

Attribute	Detail
Threat Actor	Tomiris
Primary Targets	Foreign ministries, intergovernmental organizations, and government entities in Russia, Central Asia (Turkmenistan, Kyrgyzstan, Tajikistan, Uzbekistan).
Objective	Establish remote access, deploy additional tools, intelligence gathering.
C2 Method Shift	Increased use of implants leveraging public services (e.g., Telegram and Discord) for command-and-control (C2) servers.

Deep Dive / Analysis

Tomiris isn't reinventing the wheel; they're just swapping out the hubcaps for something shinier and less traceable. Using public services like Telegram and Discord for Command and Control (C2) isn't exactly groundbreaking, but it's a persistent headache for defenders. These platforms offer encrypted communication, global reach, and a massive user base, making malicious traffic blend in with legitimate chatter. It's the digital equivalent of hiding a bomb in a busy shopping mall – the security guards are looking for suspicious packages, not your aunt's grocery bag. This tactic screams "low effort, high impact." It bypasses many traditional network defenses that might flag bespoke C2 infrastructure. Plus, takedowns become a bureaucratic nightmare involving platform providers who probably have bigger fish to fry. It's clever, in a deeply annoying way.

Pros & Cons (Tomiris's 'Innovations')

Pros (for Tomiris):
- Blends C2 traffic with legitimate network activity, evading detection.
- Leverages existing, robust infrastructure (Telegram, Discord).
- Increased difficulty for detection and blocking by security tools.
- Cheaper, less infrastructure to maintain.
- Takedowns are harder, requiring platform cooperation.
Cons (for Tomiris, and everyone else):
- Reliance on third-party services means potential for platform-level intervention (though rare).
- Public nature could theoretically lead to easier tracking if platforms cooperate (big IF).
- Still requires initial compromise, often via spear-phishing.

Final Verdict

Who should care? Anyone running a government network, especially in Russia and Central Asia, apparently. Tomiris isn't pushing boundaries with zero-days here; they're just being pragmatic and annoying. This isn't about cutting-edge malware; it's about basic operational security and the constant cat-and-mouse game. If your network defenses aren't looking for anomalous behavior within encrypted public service traffic, you're already behind. This isn't a "next-gen" threat; it's a reminder that sometimes, the simplest, laziest approaches are the most effective. Wake up.

Interested in Tomiris Threat Actor Tactics?

Check Price on Amazon →

NexaSpecs is an Amazon Associate and earns from qualifying purchases.

📝 Article Summary:

Threat actor Tomiris is now using public services like Telegram and Discord for command and control in attacks targeting government entities in Russia and Central Asia. This shift allows their malicious traffic to blend in, making detection and takedown efforts significantly harder for defenders.