Trace Id is missing

Nation State Actor 

Caramel Tsunami

A close-up of a planet
Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors. Caramel Tsunami appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp. The malware Caramel Tsunami installs is DevilsTongue, a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.

Country of origin:                                                              Industries targeted:

 

North Korea                                                                          Private sector individuals

                                                                                             

                                                                                              Politicians

Countries targeted: 

                                                                                              Human rights activists

Armenia

                                                                                              Journalists

Iran

                                                                                              Academics                        

Israel

                                                                                              Embassy workers

Lebanon

                                                                                              Political dissidents 

Singapore

                                                                                              

Spain

 

Turkey

 

United Kingdom

 

Yemen

Microsoft Threat Intelligence: Recent Caramel Tsunami Articles

Exposing POLONIUM activity and infrastructure targeting Israeli organizations

Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware

Fighting cyberweapons built by private businesses