From d1dae2085bd104d69a6eb5b85c8e379617c39148 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Thu, 1 Feb 2024 11:01:58 -0800 Subject: [PATCH] [threat-actors] Add Caramel Tsunami --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b4edca6..da980d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14254,6 +14254,25 @@ }, "uuid": "7db46444-2d27-4922-8a21-98f8509476dc", "value": "UNC4990" + }, + { + "description": "Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.", + "meta": { + "refs": [ + "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", + "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/", + "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" + ], + "synonyms": [ + "SOURGUM", + "Candiru" + ] + }, + "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966", + "value": "Caramel Tsunami" } ], "version": 298