Skip to content

S0671 Tomiris

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.1

Item Value
ID S0671
Associated Names
Version 1.0
Created 29 December 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Tomiris can use HTTP to establish C2 communications.1
enterprise T1005 Data from Local System Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.1
enterprise T1568 Dynamic Resolution Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.1
enterprise T1041 Exfiltration Over C2 Channel Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.1
enterprise T1105 Ingress Tool Transfer Tomiris can download files and execute them on a victim’s system.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Tomiris has been packed with UPX.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Tomiris has used SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00 to establish persistence.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.1