SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tsunamikit (Back to overview)

TsunamiKit

Actor(s): WageMole

TsunamiKit is a multi-stage malware toolkit written in Python and .NET.

The execution chain consists of several modules—including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiPayload and the core TsunamiClient. The name is derived from the developer's recurring use of "Tsunami" in its components, e.g. "C# Tsunami Dist Version 3.0.0" or "Tsunami Stable\Tsunami Payload".

The primary purpose of the core module depends on the variant. It either carries out information theft by exfiltrating browser data, or monetize its presence by dropping cryptocurrency miners like XMRig and NBMiner. It also fingerprints the compromised system and uses the Tor network for command-and-control (C&C) communication.

While it was delivered by the InvisibleFerret malware in November 2024, older samples dating back to November 2021 suggest TsunamiKit is a pre-existing dark web project adapted by the APT actors.

References
2025-11-13NVISO LabsBart Parys, Efstratios Lontzetidis, Stef Collart
Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery
BeaverTail OtterCookie InvisibleFerret Beavertail TsunamiKit
2025-09-25Virus BulletinMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit
2025-09-25ESET ResearchMatěj Havránek, Peter Kálnai
DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
BeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit
2025-04-25HiSolutionsMaik Würth, Mateo Mrvelj, Nicolas Sprenger
Rolling in the Deep(Web): Lazarus Tsunami
InvisibleFerret tsunami TsunamiKit
2024-11-26ArxivAlessio Di Santo
Lazarus Group Targets Crypto-Wallets and Financial Data while employing new Tradecrafts
BeaverTail InvisibleFerret tsunami TsunamiKit

There is no Yara-Signature yet.