Find notable cyber news and cases, enriched with sources, timelines, and signals.

Tomiris multi-language malware modules using Discord and Telegram C2

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Tomiris malware set is now using Discord and Telegram as C2, making its post-exploitation traffic harder to spot and letting operators blend in with legitimate service activity. A recent infection chain begins with password-protected RAR phishing and a .doc.exe decoy that drops a C/C++ reverse shell. The payload collects system data, establishes persistence, and fetches next-stage tools such as AdaptixC2 and Havoc.

Related Happenings

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

Vidar infostealer delivered through TikTok and Instagram Reels

Malware Activity
H score27 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: Threat actors are using **TikTok** and **Instagram Reels** to deliver **Vidar infostealer** through fake free-software tutorials, putting viewers at risk of **credential**, **fina...

TikTok and Instagram Reels Vidar social-engineering campaign

Campaign
H score37 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: A **TikTok** and **Instagram Reels** campaign is using fake free-software tutorials to push **Vidar**, turning social feeds into a high-reach malware delivery channel. The operati...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Vidar infostealer market rise and distribution expansion

Malware Activity
H score30 First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Timeline

  1. 01.12.2025 07:07 2 articles · 7mo ago

    Tomiris campaign uses Discord and Telegram C2 against government targets

    Initial Disclosure

    Kaspersky reported that the Tomiris 2025 campaign targeted foreign ministries, intergovernmental organizations, and government entities in Russia, using phishing emails with password-protected RAR files, a *.doc.exe decoy, reverse shells, and custom implants to establish remote access, persist on Windows systems, and fetch next-stage tools such as AdaptixC2 and Havoc while blending command-and-control traffic with legitimate Discord and Telegram activity.

    Show sources