Caramel Tsunami (formerly SOURGUM) generally sells cyberweapons, usually malware and zero-day exploits, as a part of a hacking-as-a-service package sold to government agencies and other malicious actors. Caramel Tsunami appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp. The malware Caramel Tsunami installs is DevilsTongue, a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities.
Register now to watch the on-demand web seminar featuring Microsoft Digital Defense Report 2024 insights.
Private Sector Offensive Threat Actor Caramel Tsunami
Follow Microsoft Security