From 0e47e278795e51451c6fd2d4c4ef58b83d578a72 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:57 -0800
Subject: [PATCH] [threat-actors] Add Carmine Tsunami

---
 clusters/threat-actor.json | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 6f0baff..7750c86 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14206,6 +14206,22 @@
       },
       "uuid": "ef0d776a-51de-4965-ba1c-69ed256e0e5d",
       "value": "Pearl Sleet"
+    },
+    {
+      "description": "Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.",
+      "meta": {
+        "country": "IL",
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/",
+          "https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/"
+        ],
+        "synonyms": [
+          "DEV-0196",
+          "QuaDream"
+        ]
+      },
+      "uuid": "fa76ce6a-f434-4d4a-817f-c4bd0a3f803c",
+      "value": "Carmine Tsunami"
     }
   ],
   "version": 298