Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 19:12:10 UTC
Home > List all groups > List all tools > List all groups using tool Tomiris
 Tool: Tomiris
Names Tomiris
Category Malware
Type Backdoor
Description
(Kaspersky) Tomiris is a backdoor written in Go whose role is to continuously query its
C2 server for executables to download and execute on the victim system. Before
performing any operations, it sleeps for at least nine minutes in a possible attempt to
defeat sandbox-based analysis systems.
(Kaspersky) The backdoor, dubbed Tomiris, bears a number of similarities to the
second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year.
However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor
that has been linked to the Turla APT threat actor. None of the similarities is enough to
link Tomiris and Sunshuttle with high confidence. However, taken together they suggest
the possibility of common authorship or shared development practices.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 26 April 2023
Download this tool card in JSON format
All groups using tool Tomiris
Changed Name Country Observed
APT groups
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ef8ea9c8-3129-4a0a-b6ac-de68286feb5e
Page 1 of 2

Tomiris [Unknown] 2020  
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ef8ea9c8-3129-4a0a-b6ac-de68286feb5e
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=ef8ea9c8-3129-4a0a-b6ac-de68286feb5e
Page 2 of 2