Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0671: Tomiris

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[1]

EnterpriseS0671MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Tomiris matters because it is described as a Go-based backdoor that repeatedly contacts command-and-control infrastructure to retrieve and run additional executables. For leaders, the practical risk is not just one malware family; it is the operating model: a foothold that can receive new tooling, collect local data, and potentially exfiltrate over the same C2 path while using techniques intended to blend in or resist analysis.

Executive priority

Prioritize validation of egress control, DNS/web monitoring, endpoint execution visibility, and incident response procedures for backdoors that can fetch second-stage payloads. Because the ATT&CK record does not specify Tomiris platforms or provide detection guidance, executives should ask whether existing controls prove coverage for the related behaviors: dynamic C2 resolution, web-protocol C2, ingress tool transfer, local data collection, C2-channel exfiltration, packing, time-based sandbox evasion, and scheduled task persistence where Windows is in scope.

Technical view

SOC and IR teams should treat this object as a behavior cluster around C2-enabled payload delivery and follow-on execution. Validate telemetry for processes that initiate unusual web/DNS activity, download executables, create or launch newly written binaries, collect local files, and move data over established C2 channels. Relationship context adds Windows Scheduled Task persistence, Software Packing, Time Based Checks, Dynamic Resolution, Web Protocol C2, Ingress Tool Transfer, Data from Local System, and Exfiltration Over C2 Channel; however, Tomiris itself has no official platform or detection text in the supplied ATT&CK fields.

Likely telemetry

  • Endpoint process creation and parent-child process lineage
  • File creation and executable write events
  • Network connections using web protocols
  • DNS query and resolution history
  • Proxy, firewall, and egress logs

Detection direction

  • Baseline normal DNS and web egress so dynamic resolution and unusual C2 polling stand out without relying only on known indicators.
  • Correlate executable downloads with subsequent process execution, especially when the initiating process has no business reason to retrieve and run binaries.
  • Monitor for local data staging or collection followed by outbound traffic over the same communication path.
  • Tune scheduled task detections for unexpected task creation, modified actions, suspicious binary paths, and unusual accounts in Windows environments.
  • Account for packed binaries and time-based checks as analysis and signature-evasion risks; sandbox-only results may be incomplete.

Mitigation priorities

  • Restrict unnecessary outbound web and DNS access and require logging at egress points.
  • Harden endpoint execution controls to reduce unapproved executable download and launch paths.
  • Maintain visibility into scheduled task changes on Windows systems where applicable.
  • Use allowlisting, least privilege, and controlled software installation paths to limit follow-on payload execution.
  • Prepare IR playbooks to preserve endpoint, DNS, proxy, and firewall evidence when a backdoor or downloader is suspected.
Analyst notes and limits

The strongest decision value is in the related behaviors: Tomiris is a backdoor with relationships to command-and-control, ingress tool transfer, collection, exfiltration, stealth, discovery, and Windows scheduled task persistence techniques. Its reported context includes a DNS hijacking campaign against a CIS member and noted similarities to GoldMax, but this take does not infer attribution or active exploitation beyond the supplied fields.

Official ATT&CK detection guidance is not provided, Tomiris platforms are not specified, and aliases/labels/tactics are not listed on the supplied object. Local environment telemetry, asset scope, and control configuration are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

Tomiris

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1568 Dynamic Resolution

Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.[1]
Enterprise T1071.001 Web Protocols Sub-technique

Tomiris can use HTTP to establish C2 communications.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

Tomiris has used `SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00` to establish persistence.[1]
Enterprise T1497.003 Time Based Checks Sub-technique

Tomiris has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.[1]
Enterprise T1027.002 Software Packing Sub-technique

Tomiris has been packed with UPX.[1]
Enterprise T1005 Data from Local System

Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.[1]
Enterprise T1105 Ingress Tool Transfer

Tomiris can download files and execute them on a victim's system.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1568: Dynamic Resolution Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
bf2f7c093dcfb1fc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle bf2f7c093dcf…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Tomiris Sep 2021

    Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.

    Open source URL
  2. [2]
    mitre-attack S0671
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use