TsunamiKit
TsunamiKit is a multi-stage malware toolkit documented by ESET and associated with the North Korea-aligned DeceptiveDevelopment / Contagious Interview activity cluster. It is delivered in campaigns targeting software developers across Windows, Linux, and macOS, with particular emphasis on cryptocurrency and Web3-related victims, typically via fake recruiter personas, bogus interview processes, trojanized coding challenges, and ClickFix-style lures. Reporting also states that InvisibleFerret can fetch TsunamiKit from Pastebin in some infection chains.
The toolkit is designed for information theft and cryptocurrency theft. High-confidence reporting describes it as a .NET-centered toolkit composed of multiple Python and .NET droppers and installers, including components named TsunamiLoader, TsunamiInjector, TsunamiHardener, TsunamiInstaller, TsunamiClientInstaller, and TsunamiClient. Its execution chain includes persistence mechanisms, Microsoft Defender exclusions, system fingerprinting, download-and-execute functionality, a Tor network proxy, coinminers, and a final .NET spyware payload. TsunamiClient has been reported to drop XMRig and NBMiner. Earlier cited research also states TsunamiKit can profile systems, steal data, and retrieve additional payloads from a Tor (.onion) server.
ESET reported that DeceptiveDevelopment began using a new version of InvisibleFerret containing the TsunamiKit-related module in November 2024. TsunamiKit has also been described as deployed alongside other malware used by this ecosystem, including BeaverTail, InvisibleFerret, OtterCookie, Tropidoor, and AkdoorTea. The broader campaign supports North Korean fraudulent IT worker operations by stealing victim data, identities, and interview-related information.
Available reporting indicates TsunamiKit likely predates DeceptiveDevelopment’s known activity: ESET found related samples on VirusTotal dating to December 2021 and assessed the toolkit is likely a modification of a dark web project rather than a new creation by the operators. Mentioned infrastructure and delivery artifacts include Pastebin-hosted retrieval in some cases and Tor-based payload access; cited Pastebin profile URLs include hxxps://pastebin[.]com/u/NotingRobe2871 and hxxps://pastebin[.]com/u/ShadowGates1462.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This module contains a completely new toolkit named TsunamiKit by ESET, based on the developer's use of 'Tsunami' in the names of all of its components. It's also designed to steal information and cryptocurrency, and its execution chain includes multiple stages of droppers and installers written in Python and .NET, plus a Tor network proxy, coinminers, and the final .NET spyware payload.
...previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
Discovery
1 technique
Discovery
Collection
1 technique
Collection
Command and Control
6 techniques
Command and Control
“AkdoorTea, BeaverTail, and Tropidoor communicate with C&C servers over HTTP/S.”
its execution chain includes multiple stages of droppers and installers written in Python and .NET, plus a Tor network proxy, coinminers, and the final .NET spyware payload.
...its execution chain includes multiple stages of droppers and installers written in Python and .NET, plus a Tor network proxy...
Impact
1 technique
Impact
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware/tool appearing in DPRK-linked campaigns, including Contagious Interview-related reporting.
Tool referenced as part of the same DPRK-linked developer-targeting campaign; no further details in excerpt.
Additional tool fetched by InvisibleFerret; used to profile systems, steal data, and retrieve additional payloads (including from a Tor .onion server, per earlier research).
A multi-stage toolkit designed to steal information and cryptocurrency. Its execution chain includes Python and .NET droppers and installers, a Tor network proxy, coinminers, and a final .NET spyware payload. ESET assesses it likely predates DeceptiveDevelopment and may be a modification of a dark web project.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.