QuaDream is a private sector offensive actor and commercial spyware vendor. Microsoft tracks it as DEV-0196 and places it in the Tsunami family as Carmine Tsunami. The content associates QuaDream with the Reign spyware platform and describes it as one of several companies, alongside NSO Group and Intellexa, whose spyware has been identified on Apple iOS devices. The provided reporting states that QuaDream has regularly fielded zero-click, zero-day exploits against Apple and Android phones. It also states that QuaDream offered a capability to steal passwords and two-factor login codes from compromised devices. Citizen Lab is cited as having assessed with medium confidence that the process path /private/var/db/com.apple.xpc.roleaccountd.staging/subridged could indicate QuaDream-related infection when observed alone. The content further notes that tools from private sector offensive actors such as QuaDream have targeted dissidents, human rights defenders, journalists, civil society advocates, and private citizens. Known aliases and related designations in the content include QuaDream, DEV-0196, and Carmine Tsunami.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Private sector offensive actor tracked by Microsoft under the Tsunami family.
Commercial spyware vendor/operator described as using zero-click, zero-day mobile exploits and offering capabilities to steal passwords and two-factor login codes from devices.
Developer of Reign spyware, used for targeted surveillance of mobile devices.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.