Introduction
Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.
Activities and Tactics
Country of Origin: 🏳️ Austria
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- RemoteCMD
- Remote Utilities
- Windows Remote Desktop
- RemotePC
- Xploit
- Chisel:
- mimikatz:
- SharpHound3:
- Curl:
- Ping Castle:
- SharpOxidResolver:
- Grouper2:
- Rubeus:
- PharpPrinter:
- Internal Monologue:
- SCShell:
- SpoolSample:
- Inveigh:
- Seatbelt:
- StandIn:
- Lockless:
- SharpExec:
- Subzero:
- Jumplump:
Attribution and Evidence
Country of Origin: Austria Additional attribution information pending cataloguing.
References
References pending cataloguing.