Tsunami
Tsunami is a Linux malware family and IRC-controlled bot/backdoor most commonly associated with distributed denial-of-service (DDoS) activity and remote control of compromised systems. The content consistently describes it as an IRC bot that communicates with command-and-control infrastructure over Internet Relay Chat, supports DDoS attacks, and provides backdoor functionality for remote access. It has been observed as an ELF payload, including x86_64 samples, and is frequently detected under names such as Tsunami/Kaiten and TsunamiKit.
The malware has been delivered through multiple intrusion chains and exploitation campaigns. Reported infection vectors include Shellshock exploitation, Apache Log4j exploitation via related botnet activity, malicious VS Code task configuration abuse in the DPRK-linked Contagious Interview campaign, exploitation of Oracle WebLogic and Confluence vulnerabilities by the 8220 gang, and post-compromise deployment on exposed or weakly secured Linux and SSH-accessible systems. It has also been distributed to both IoT/embedded Linux devices and conventional Linux servers.
Capabilities directly mentioned in the content include IRC-based command-and-control, DDoS execution, backdoor access, and use as part of broader botnet operations. Tsunami is also referenced as a component or ancestor in related malware families and operations: Remaiten combines features from Tsunami and LizardStresser/Torlus; Muhstik is described as a Tsunami variant borrowing Mirai code; RapperBot code was reportedly derived in part from Tsunami; and SSHStalker deploys Tsunami/Keiten alongside other IRC bot components.
Threat actor and campaign associations in the content include the China-linked 8220/Water Sigbin cryptomining gang, which deploys Tsunami alongside PwnRig and other tooling; DPRK-linked Contagious Interview activity, where reporting linked VS Code task abuse to deployment of a Tsunami/TsunamiKit backdoor and XMRig; and opportunistic Linux botnet operators targeting SSH-exposed systems. Targeted environments mentioned include Linux servers, cloud workloads, routers, embedded/IoT devices, and organizations in cryptocurrency, fintech, and blockchain sectors when TsunamiKit was used in developer-focused campaigns.
High-confidence indicators and artifacts mentioned include MD5 aec2df8a6cb35aa5b01b0d9f1f879aa1 for a Shellshock-delivered x86_64 ELF Tsunami/Kaiten sample communicating over IRC to 104.192.103.6; MD5 63a86932a5bad5da32ebd1689aa814b3 and 0ba9e6dcfc7451e386704b2846b7e440 for Tsunami samples/backdoor files used in 8220-related activity; and IRC/C2 details from one 8220-linked Tsunami configuration including channel #.br, password ircbot456@, and infrastructure such as c4k-ircd.pwndns.pw, pwn.oracleservice.top, and 51.255.171.23 on ports 80 and 443. ClamAV detections cited include Unix.Malware.Tsunami and Unix.Malware.Tsunami-9915807-0.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The downloaded payload (md5: aec2df8a6cb35aa5b01b0d9f1f879aa1) is an x86_64 ELF executable that was submitted to VirusTotal and detected by many vendors as Tsunami/Kaiten. It mainly functions as a DDoS client, but also has backdoor capabilities, communicating over IRC.
The downloaded payload (md5: aec2df8a6cb35aa5b01b0d9f1f879aa1) is an x86_64 ELF executable that was submitted to VirusTotal and detected by many vendors as Tsunami/Kaiten. It mainly functions as a DDoS client, but also has backdoor capabilities, communicating over IRC.
ClamAV signatures include "Unix.Malware.Tsunami" in the list of malware activity associated with ongoing exploitation campaigns.
"Tsunami, a Linux-based malware used primarily for Distributed Denial of Service (DDoS) attacks, is also a key component of both infection chains."
Currently, there are few samples and the following vulnerabilities are exploited. CVE_2020_14882
"Tsunami, a Linux-based malware used primarily for Distributed Denial of Service (DDoS) attacks, is also a key component of both infection chains."
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Indicators of Compromise ... 37cb34a044c70d1acea5a3a91580b7bfc2a8e687 ELF binary, potentially Tsunami
“bi.64 -> Tsunami… Tsunami is a popular botnet that controls and communicates through the IRC protocol. Its main functions include remote control and DDoS attacks.”
“bi.64 -> Tsunami… Tsunami is a popular botnet that controls and communicates through the IRC protocol. Its main functions include remote control and DDoS attacks.”
Listed in several Lazarus/BeaverTail/InvisibleFerret related items as “tsunami,” including “Lazarus Tsunami InvisibleFerret.”
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Command and Control
2 techniques
Command and Control
Impact
2 techniques
Impact
Authorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.” ... Rapper Bot allegedly conducted more than 370,000 attacks... Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware family included in the report tags related to Linux SSH server threats.
Referenced as a Linux botnet family known for using altered UPX magic bytes in packed ELF32 binaries.
Referenced as a known Linux IRC bot family/toolkit component used within the SSHStalker ecosystem for IRC-based bot functionality.
Legacy IRC-controlled botnet malware referenced as part of the SSHStalker toolkit; samples/components were detected as “Win.Trojan.Tsunami-5” and include IRC bot behavior and DDoS-style routines.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.