Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors. Caramel Tsunami appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp. The malware Caramel Tsunami installs is DevilsTongue, a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.
Nation State Actor
Caramel Tsunami
Country of origin: Industries targeted:
North Korea Private sector individuals
Politicians
Countries targeted:
Human rights activists
Armenia
Journalists
Iran
Academics
Israel
Embassy workers
Lebanon
Political dissidents
Singapore
Spain
Turkey
United Kingdom
Yemen