Tomiris

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular interest in the Commonwealth of Independent States (CIS), with a TunnusSched sample delivered to a government target there in September 2022. This malware was deployed from Tomiris's Telemiris malware, indicating an advanced level of sophistication and capability. Furthermore, evidence suggests that Tomiris may have hijacked extinct Andromeda hostnames or domains, further expanding their cyber-attack infrastructure. The group exhibits a close relationship with another malware group, Turla, either sharing tools and expertise or cooperating on joint operations. One notable instance of this collaboration is the use of the Turla malware, KopiLuwak, by Tomiris. In fact, the TunnusSched sample leveraged by Tomiris is very similar to one deployed from KopiLuwak, as per Mandiant's reporting. This points to a high likelihood of the two groups working together, possibly to maximize their reach and impact. Tomiris has also developed a variant internally named "SBZ", which acts as a file stealer. It uploads any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc.) to the command-and-control (C2) server. This functionality allows Tomiris to exfiltrate sensitive information from infected systems, furthering their objectives. The group's activities, including the targeting of Russian military-industrial companies and widespread credential harvesting campaigns, underline the significant threat posed by Tomiris to both governmental and private sector organizations.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
QUIETCANARY
2
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
Tunnussched
2
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
KOPILUWAK
2
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
Sunshuttle
2
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connect
Sbz
2
SBZ is a potent piece of malware, characterized as a file stealer with the SHA-256 hash 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b. The discovery of this malware was facilitated by its similarity to the signatures associated with the Equation malware family. Its coding style an
Telemiris
1
Telemiris is a malware identified as a Python backdoor that uses Telegram as a command-and-control (C2) channel. It was originally packed with PyInstaller, but later instances of Nuitka-packaged samples were also identified. Telemiris is primarily used as a first-stage implant by operators to deploy
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
russian
exploitation
Implant
Kaspersky
Apt
Russia
Exploit
Downloader
Phishing
Loader
Rat
Payload
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
SUNBURSTUnspecified
2
Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
TopinambourUnspecified
1
Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or de
ANDROMEDAUnspecified
1
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
TunnusUnspecified
1
Tunnus is a type of malware, or malicious software, that has been identified as potentially harmful to computer systems and devices. Identified by the SHA-256 hash 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758, Tunnus uses the same RC4 implementation as TunnusSched and Topinambour
RocketmanUnspecified
1
RocketMan is a type of malware, short for malicious software, which is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once it gains access, RocketMan can steal personal information, dis
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
Snake MalwareUnspecified
1
The infamous Snake malware, a complex and destructive tool utilized by Pensive Ursa, became the target of a significant cybersecurity operation in May 2023. Detailed in a CISA report, the Snake malware was known to infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst t
Tomiris’s TelemirisUnspecified
1
Tomiris's Telemiris is a potent malware that has been discovered to deploy TunnusSched, another malicious software. This harmful program is designed to infiltrate and damage computer systems, often without the user's knowledge. It can infect systems through suspicious downloads, emails, or websites.
Tomiris GolangUnspecified
1
Tomiris Golang is a malicious software (malware) identified by its unique SHA-256 hash, fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d. It was first introduced as a threat actor that infiltrates systems by taking over legitimate government hostnames to deploy the Tomiris Golang imp
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
5
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
SnakeUnspecified
2
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Pensive UrsaUnspecified
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
Cloud AtlasUnspecified
1
Cloud Atlas, a sophisticated threat actor group, has been actively involved in cyber-espionage activities against various nations, primarily targeting Russia and former Soviet Union countries such as Belarus, Kazakhstan, and Azerbaijan. This group employs advanced techniques to evade detection and e
Venomous BearUnspecified
1
Venomous Bear, also known as Turla, Urobouros, Snake, and other names, is a threat actor group attributed to Center 16 of the Federal Security Service (FSB) of the Russian Federation. The group has been active since at least 2004, targeting diplomatic and government organizations, as well as private
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Midnight BlizzardUnspecified
1
Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity concern. The group is known for executing actions with malicious intent and has been linked to several high-profile cyber attacks on global organizations. Notably, it breached the sy
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Cozy BearUnspecified
1
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
PensiveUnspecified
1
Pensive Ursa, also known as Turla or Uroburos, is a Russian-based threat group that has been active since at least 2004 and is linked to the Russian Federal Security Service (FSB). The group employs advanced and stealthy tools like Kazuar, a .NET backdoor used as a second stage payload. In 2023, Pen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxylogonUnspecified
2
ProxyLogon is a notable software vulnerability that surfaced in the cybersecurity landscape. It was part of an exploit chain, including CVE-2021-26855, a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server. This flaw allowed attackers to bypass authentication mechanisms and
CVE-2021-26855Unspecified
1
CVE-2021-26855 is a significant software vulnerability, specifically a zero-day server-side request forgery (SSRF) flaw, found in Microsoft Exchange 2013, 2016, and 2019. This vulnerability was exploited by attackers to gain initial access to email servers and drop an ASPX webshell, leveraging the t
Tunnussched QuietcanaryUnspecified
1
None
Source Document References
Information about the Tomiris Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Russia and Belarus targeted by at least 14 nation-state hacker groups, researchers say | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
InfoSecurity-magazine
9 months ago
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor
Unit42
10 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
IT threat evolution Q2 2023
MITRE
a year ago
Tomiris backdoor and its connection to Sunshuttle and Kazuar
CERT-EU
a year ago
後門程式
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
InfoSecurity-magazine
a year ago
Tomiris and Turla APT Groups Collaborate to Target Government Entities
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU
a year ago
Tomoris links to APT behind SolarWinds attack put to rest
CERT-EU
a year ago
Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
CERT-EU
a year ago
Kaspersky enquête sur le groupe APT Tomiris qui cible des entités gouvernementales dans la CEI – Global Security Mag Online
CERT-EU
a year ago
Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU
a year ago
Киберпреступники Tomiris активно собирают разведданные в странах СНГ
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
APT trends report Q1 2023
CERT-EU
a year ago
APT trends report Q1 2023 - GIXtools
CERT-EU
a year ago
Rapport APT Q1 2023 : techniques avancées, nouveaux horizons et nouvelles cibles – Global Security Mag Online