Tomiris, a threat actor focused on intelligence gathering in Central Asia, has shifted tactics to exploit public services like Telegram and Discord for command-and-control operations. Kaspersky researchers noted that more than half of the spear-phishing emails in this campaign were tailored with Russian names and texts, targeting Russian-speaking users and countries in Central Asia, such as Turkmenistan and Uzbekistan. This strategy aims to blend malicious activity with legitimate service traffic to bypass detection. The attacks leverage sophisticated malware techniques, including reverse shells and custom implants. Kaspersky's analysis revealed that the malware often comes in password-protected RAR files, with the password provided in the email text. Once executed, these files can drop various payloads, including reverse shells that collect system information and communicate with C2 servers. Different malware families have been identified, including Rust and Python-based variants, with functionalities ranging from reconnaissance to file harvesting. Connections have been established between Tomiris and other threat groups, such as Storm-0473, linked to Kazakhstan. The malware arsenal reflects operational flexibility, featuring reverse shells and backdoors written in multiple programming languages like C#, Rust, and Go. These developments underscore Tomiris's focus on stealth and long-term persistence, particularly targeting political and diplomatic infrastructures.