Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1041||Exfiltration Over C2 Channel|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1027||.002||Obfuscated Files or Information: Software Packing|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1497||.003||Virtualization/Sandbox Evasion: Time Based Evasion|