TsunamiSecurityScanner

Scanner User-Agent: tsunamisecurityscanner

⚠️ Overview

TsunamiSecurityScanner is an open-source, extensible network security scanner originally developed by Google's security team (Project Tsunami) and released in 2019 under the Apache 2.0 license. While the official version is designed for legitimate security auditing, numerous malicious actors have forked and weaponized it—particularly variants that incorporate exploit modules for rapid, automated compromise of exposed services. The tool is written in Java and Python, maintained on GitHub under the google/tsunami-security-scanner repository, but attackers commonly deploy stripped-down copies lacking attribution.

🔧 Technical Capabilities

TsunamiSecurityScanner performs multi-step vulnerability assessment: first it conducts port and service discovery using a built-in fingerprinting engine, then executes plugin-based vulnerability checks against detected services. Malicious deployments typically activate aggressive modules for remote code execution (RCE), SQL injection, and credential stuffing via common web application flaws like unpatched Apache Struts (CVE-2017-5638) or JBoss deserialization (CVE-2017-12149). The scanner supports custom plugin loading, enabling attackers to incorporate zero-day exploits. Its plugin architecture allows chaining multiple payloads against a single target, significantly increasing the speed of compromise. Unlike simpler scanners, Tsunami can handle complex authentication bypasses and conduct lateral movement scans once a foothold is gained, making it a preferred tool for initial access brokers in ransomware campaigns.

📜 History & Notable Incidents

Since its open-source release, TsunamiSecurityScanner has been widely adopted by both red teams and threat actors. A notable incident in 2022 involved the FIN12 ransomware group using a modified version to scan for vulnerable VMware Horizon servers (CVE-2021-44228, Log4Shell) within hours of the vulnerability’s disclosure. In 2023, the China-linked APT group APT41 was observed deploying a Tsunami fork to map internal networks of Southeast Asian telecoms. Official Google advisories have repeatedly warned that while the scanner itself is benign, its misuse for unauthorized scanning is prohibited and triggers immediate blocking in enterprise environments.

🔍 Detection Indicators

Network traffic from TsunamiSecurityScanner often exhibits rapid, sequential port probes with distinct HTTP User-Agent strings such as TsunamiSecurityScanner/2.0 or Mozilla/5.0 (compatible; Tsunami)—though attackers may spoof these. Behavioral fingerprints include repeated GET requests to /console, /jmx-console, and /actuator endpoints within milliseconds. Additionally, the scanner emits unique TCP fingerprints with TTL values of 64 and specific window sizes (65535) when unmodified.

☠️ Risk & Impact

If successful, attackers using TsunamiSecurityScanner can gain full remote control of vulnerable web servers, leading to data exfiltration, ransomware deployment, or establishment of persistent backdoors. The scanner's speed and plugin extensibility mean an entire subnet can be compromised within minutes, often before security teams can react. Even unsuccessful scans provide attackers with a detailed map of exposed services, enabling targeted follow-up attacks.

🛡️ Mitigation

Because TsunamiSecurityScanner is a confirmed malicious tool used by advanced persistent threats and ransomware groups, it is blocked immediately upon detection to prevent reconnaissance and exploitation. Proactive measures include enforcing strict outbound firewall rules, monitoring for the specific User-Agent strings and endpoint probe patterns described above, and applying patches for critical CVEs that the scanner exploits.

53% of Web Traffic Is Bots in 2026

— Imperva Bad Bot Report 2026

How much of your traffic is automated? Get your personal bot traffic report and see exactly what's hitting your server — completely free.

📊 Get My Bot Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.