Advanced persistent threat (APT) actors rarely simply stop operations when their malware and techniques get exposed. Many just regroup, refresh their toolkits, and resume operations when the heat has died down a bit.
Such appears to be the case — at least circumstantially — with DarkHalo, the Russian-government affiliated threat actor behind the supply attack on SolarWinds that rattled the industry in a manner unlike any malicious campaign in recent memory.
Researchers at Kaspersky this week said they had detected a new backdoor they have dubbed “Tomiris,” which has multiple attributes that suggest a link to “Sunshuttle,” a second-stage malware that DarkHalo used in its SolarWinds campaign. This includes the programming language used to Tomiris, its obfuscation and persistence mechanisms, and the general workflow of the two malware samples.
Kaspersky discovered the Tomiris backdoor in June while investigating successful DNS hijacking incidents that impacted government agencies of a country that previously belonged to the Soviet Union and is now
Read the article