Tomiris 2025 government-targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The Tomiris 2025 campaign is using phishing and public-service C2 to target foreign ministries, intergovernmental organizations, and government entities, increasing the risk of stealthy long-term access across Russia and Central Asia.
Related Happenings
Gamaredon Ukraine spear-phishing campaign across government and military targets
Campaign
H score39
First: 29.06.2026 14:40
Last: 29.06.2026 14:40
Sources 1
About this happening:
The **Gamaredon** campaign expanded across **Ukraine** in **2025**, hitting **governmental and military institutions** with **35 spear-phishing campaigns** and raising the risk of...
Gamaredon Ukraine spear-phishing campaign across government and military targets
CampaignAbout this happening: The **Gamaredon** campaign expanded across **Ukraine** in **2025**, hitting **governmental and military institutions** with **35 spear-phishing campaigns** and raising the risk of...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
Campaign
H score42
First: 26.06.2026 21:17
Last: 26.06.2026 21:17
Sources 1
About this happening:
The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
StrikeShark SharkLoader and Cobalt Strike Beacon campaign
CampaignAbout this happening: The **StrikeShark** campaign is deploying **SharkLoader** to load **Cobalt Strike Beacon** on compromised hosts, raising the risk of broader follow-on intrusion activity. It has t...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
Campaign
H score37
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
About this happening:
Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
CampaignAbout this happening: Turla's **STOCKSTAY** phishing campaign is targeting **government and military organizations in Ukraine** and selected **European entities**, extending a recurring espionage opera...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Timeline
-
01.12.2025 07:07 2 articles · 7mo ago
Tomiris 2025 government-targeting campaign
Initial DisclosureThe operation begins with **spear-phishing emails** carrying **password-protected RAR files**. Those archives deliver a disguised payload that starts the infection chain and prepares the host for follow-on tooling.
Show sources
- Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets — thehackernews.com — 01.12.2025 07:07
- Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets — thehackernews.com — 01.12.2025 07:07