TsunamiKit
Intelligence Profile
TsunamiKit is a multi-stage malware toolkit written in Python and .NET.
The execution chain consists of several modules—including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiPayload and the core TsunamiClient. The name is derived from the developer's recurring use of "Tsunami" in its components, e.g. "C# Tsunami Dist Version 3.0.0" or "Tsunami Stable\Tsunami Payload".
The primary purpose of the core module depends on the variant. It either carries out information theft by exfiltrating browser data, or monetize its presence by dropping cryptocurrency miners like XMRig and NBMiner. It also fingerprints the compromised system and uses the Tor network for command-and-control (C&C) communication.
While it was delivered by the InvisibleFerret malware in November 2024, older samples dating back to November 2021 suggest TsunamiKit is a pre-existing dark web project adapted by the APT actors.
Threat Analysis
TsunamiKit is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, TsunamiKit likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.