SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tsunamikit (Back to overview)

TsunamiKit

Actor(s): WageMole

TsunamiKit is a multi-stage malware toolkit written in Python and .NET.

The execution chain consists of several modules—including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiPayload and the core TsunamiClient. The name is derived from the developer's recurring use of "Tsunami" in its components, e.g. "C# Tsunami Dist Version 3.0.0" or "Tsunami Stable\Tsunami Payload".

The primary purpose of the core module depends on the variant. It either carries out information theft by exfiltrating browser data, or monetize its presence by dropping cryptocurrency miners like XMRig and NBMiner. It also fingerprints the compromised system and uses the Tor network for command-and-control (C&C) communication.

While it was delivered by the InvisibleFerret malware in November 2024, older samples dating back to November 2021 suggest TsunamiKit is a pre-existing dark web project adapted by the APT actors.

References
2025-09-25Virus BulletinMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
TsunamiKit

There is no Yara-Signature yet.