Caramel Tsunami  (Back to overview)

aka: Candiru, SOURGUM

Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.

Associated Families

There are currently no families associated with this actor.

2022-08-10Avast DecodedThreat Research Team
Avast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer, and more Ransomware Attacks
Conti Raccoon RecordBreaker Zloader Caramel Tsunami
2022-07-21Avast DecodedJan Vojtěšek
The Return of Candiru: Zero-days in the Middle East
Caramel Tsunami
2022-04-18CitizenLabBahr Abdul Razzak, Bill Marczak, Elies Campo, Gözde Böcü, John Scott-Railton, Ron Deibert, Salvatore Solimano, Siena Anstis
CatalanGate Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru
Chrysaor Caramel Tsunami
2021-12-16CitizenLabBahr Abdul Razzak, Bill Marczak, John Scott-Railton, Kristin Berdan, Noura Al-Jizawi, Ron Deibert, Siena Anstis
Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware
Chrysaor Caramel Tsunami
2021-11-16ESET ResearchMatthieu Faou
Strategic web compromises in the Middle East with a pinch of Candiru
Caramel Tsunami Karkadann
2021-07-15MicrosoftMicrosoft Threat Intelligence
Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
Caramel Tsunami

Credits: MISP Project