Tomiris multi-language malware modules using Discord and Telegram C2
Malware Activity
Summary
Hide ▲
Show ▼
The Tomiris malware set is now using Discord and Telegram as C2, making its post-exploitation traffic harder to spot and letting operators blend in with legitimate service activity. A recent infection chain begins with password-protected RAR phishing and a .doc.exe decoy that drops a C/C++ reverse shell. The payload collects system data, establishes persistence, and fetches next-stage tools such as AdaptixC2 and Havoc.
Related Happenings
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware Activity
H score27
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
Vidar infostealer delivered through TikTok and Instagram Reels
Malware ActivityAbout this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...
TikTok and Instagram Reels Vidar social-engineering campaign
Campaign
H score37
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
TikTok and Instagram Reels Vidar social-engineering campaign
CampaignAbout this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
H score28
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Timeline
-
01.12.2025 07:07 2 articles · 7mo ago
Tomiris campaign uses Discord and Telegram C2 against government targets
Initial DisclosureKaspersky reported that the Tomiris 2025 campaign targeted foreign ministries, intergovernmental organizations, and government entities in Russia, using phishing emails with password-protected RAR files, a *.doc.exe decoy, reverse shells, and custom implants to establish remote access, persist on Windows systems, and fetch next-stage tools such as AdaptixC2 and Havoc while blending command-and-control traffic with legitimate Discord and Telegram activity.
Show sources
- Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets — thehackernews.com — 01.12.2025 07:07
- Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets — thehackernews.com — 01.12.2025 07:07