A sophisticated malware framework dubbed “Tsunami” has emerged as an active threat, targeting users through a multi-stage infection chain and deploying an extensive arsenal of credential stealing and cryptomining capabilities.
Security researchers have linked this malware to the ongoing “Contagious Interview” campaign associated with North Korean threat actors, specifically the Lazarus Group.
The campaign, first observed in fall 2024, primarily focuses on cryptocurrency theft in software developer environments.
.png
)
The attack begins with initial access through the chainloading of a malicious BeaverTail payload from a third-party domain, “api.npoint.io,” via a compromised private GitHub repository.
Once executed, the loader deploys the previously documented InvisibleFerret malware as an intermediate step in the infection chain.
This sophisticated social engineering approach targets victims through LinkedIn, where attackers pose as potential business partners to lure victims into executing the backdoored code.
HiSolutions researchers identified the comprehensive Tsunami framework during an investigation of cryptocurrency theft incidents.
Their analysis revealed that the malware relies on both the TOR network and Pastebin for command and control (C2) operations, demonstrating the threat actors’ efforts to maintain operational security while actively developing new tooling.
The Tsunami malware employs a modular structure with over 25 different components, including multiple browser credential stealers targeting Chrome, Firefox, Brave, Edge, and OperaGX.
It also incorporates cryptocurrency wallet compromise capabilities, focusing on Exodus and Ethereum wallets.
Two separate cryptominers-one for Monero and another for Ethereum-are deployed to monetize compromised systems, as evidenced by configuration files recovered during analysis.
According to the research, the malware’s development appears to be ongoing, with some modules like the botnet functionality still in early stages of implementation, suggesting the threat actors are continuously enhancing their capabilities.
Upon closer examination of Tsunami’s persistence mechanisms, the malware demonstrates sophisticated techniques to maintain access to compromised systems.
The Python-based launcher creates a “Windows Update Script.pyw” file in the Windows startup folder and installs a “Runtime Broker.exe” in a Microsoft Windows Applications directory.
For additional resilience, it creates scheduled tasks that trigger at user logon:-
$Action = New-ScheduledTaskAction -Execute "TSUNAMI_INSTALLER_PATH"
$Trigger = New-ScheduledTaskTrigger -AtLogOn
$Principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive
Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings -TaskName "Runtime Broker"The malware further implements extensive defense evasion by adding multiple Windows Defender exclusions and Windows Firewall rules.
It disables security features using PowerShell commands to ensure its persistent operation remains undetected.
The C2 infrastructure employs an onion domain (n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion) accessible only through the bundled Tor client, making traffic analysis and blocking significantly more challenging for defenders.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
