[threat-actors] Add Caramel Tsunami

2024-02-01 11:01:58 -08:00 · 2024-02-01 11:01:58 -08:00 · d1dae2085b
parent ac0fdd61ea
commit d1dae2085b
1 changed files with 19 additions and 0 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -14254,6 +14254,25 @@
      },
      "uuid": "7db46444-2d27-4922-8a21-98f8509476dc",
      "value": "UNC4990"
+    },
+    {
+      "description": "Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.",
+      "meta": {
+        "refs": [
+          "https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/",
+          "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/",
+          "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/",
+          "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/",
+          "https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/",
+          "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/"
+        ],
+        "synonyms": [
+          "SOURGUM",
+          "Candiru"
+        ]
+      },
+      "uuid": "062938a2-6fa1-4217-ad73-f5e0b5186966",
+      "value": "Caramel Tsunami"
    }
  ],
  "version": 298