Telemiris

Telemiris is a malware identified as a Python backdoor that uses Telegram as a command-and-control (C2) channel. It was originally packed with PyInstaller, but later instances of Nuitka-packaged samples were also identified. Telemiris is primarily used as a first-stage implant by operators to deploy other tools such as Roopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files. Once deployed, Telemiris responds with "Файл загружен!" ("File downloaded!"). On September 13, 2022, at around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris. The deployment process involved first a Python Meterpreter loader, then JLORAT and Roopy. Our telemetry shows that this TunnusSched malware, with MD5 hash C49DBF390E876E926A338EA07AC5D4A7, was deployed from Tomiris's Telemiris. Kaspersky's investigation has revealed overlaps between these attacks and a Turla cluster tracked by Google-owned Mandiant under the name UNC4210. The research uncovered that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS region using Telemiris. This information provides significant indicators of compromise for Telemiris, aiding in future detection and prevention efforts.