Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Tomiris multi-language malware modules using Discord and Telegram C2

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The Tomiris malware set is now using Discord and Telegram as C2, making its post-exploitation traffic harder to spot and letting operators blend in with legitimate service activity. A recent infection chain begins with password-protected RAR phishing and a .doc.exe decoy that drops a C/C++ reverse shell. The payload collects system data, establishes persistence, and fetches next-stage tools such as AdaptixC2 and Havoc.

Related Happenings

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

Open Happening

Vidar infostealer market rise and distribution expansion

Malware Activity
First: 28.04.2026 22:07 Last: 28.04.2026 22:07 Sources 1

About this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...

Open Happening

JanelaRAT malware activity targeting Latin American banks

Malware Activity
First: 13.04.2026 20:15 Last: 13.04.2026 20:15 Sources 1

About this happening: **JanelaRAT** continues targeting **Latin American banks and financial institutions**, with telemetry showing **14,739 attacks in Brazil** in **2025** and **11,695 in Mexico**, ra...

Open Happening

Vidar Stealer 2.0 fake game-cheat distribution

Malware Activity
First: 18.03.2026 13:15 Last: 18.03.2026 13:15 Sources 1

About this happening: The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...

Open Happening

Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout

Campaign
First: 05.02.2026 12:25 Last: 05.02.2026 12:25 Sources 1

About this happening: **Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...

Open Happening

Timeline

  1. 01.12.2025 07:07 2 articles · 5mo ago

    Tomiris campaign uses Discord and Telegram C2 against government targets

    Initial Disclosure

    Kaspersky reported that the Tomiris 2025 campaign targeted foreign ministries, intergovernmental organizations, and government entities in Russia, using phishing emails with password-protected RAR files, a *.doc.exe decoy, reverse shells, and custom implants to establish remote access, persist on Windows systems, and fetch next-stage tools such as AdaptixC2 and Havoc while blending command-and-control traffic with legitimate Discord and Telegram activity.

    Show sources
    Open in new tab