Skip to content

Hide Navigation Hide TOC

Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc)

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.(Citation: Kaspersky Tomiris Sep 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware 1
Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware 1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware 1
Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Tomiris - S0671 (327b3a25-9e60-4431-b3b6-93b9c64eacbc) Malware 1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2