How to remove Tsunami: A Trojan malware infecting Mac devices

What is Tsunami?

Also known as Kaiten and “Kaiten wa goraku,” Tsunami is a form of malware known as a Trojan. This means it can take control of your operating system, which you definitely don’t want. Unlike other threats out there, this is known as an IRC bot, which means it connects to Internet Relay Chat (IRC) network servers and channels.

However, similar to other Trojan viruses, macOS users first need to download it manually, albeit unwittingly. Tsunami can also come bundled in with other seemingly legitimate software packages and executables. Hiding in plain sight — or simply hiding — a Trojan can only work when a Mac owner inputs the login password for the computer.

At that point, Tsunami can download files to an infected system and run shell commands (Terminal commands) through your macOS. One malware detection group ESET has found more than one version of this Trojan, with some claiming the ones that were detected originally weren’t working, indicating they may have been early OS X test versions of the virus.


When Tsunami is downloaded, it takes control in the following ways:

1. Hiding itself within the /usr/sbin/ directory

      It is cleverly disguised as a command-line tool known as “logind.” macOS has several background programs known as daemons, several of which end with “d,” therefore disguising itself. macOS does have a program that operates in the background known as “logind,” although in older versions of the operating system, that lives in /System/Library/CoreServices/ directory instead of the /usr/sbin/ directory.

      2. It replaces the “logind” program

      In place of the real “logind” within /System/Library/CoreServices/, which is operated by a launch daemon called “com.apple.logind.plist”, the Trojan malware replaces and overrides the contents, thereby taking control of core operating functions.

      Security experts know that this Trojan will contact the following IRC server: pingu.anonops.li, or x.lisp.su. It is also known for using port 6667, which is commonly used for contacting IRC servers.


      What threat does Tsunami pose to Macs?

      Once Tsunami is downloaded and executed, it is capable of causing a series of problems, including:

      • Performing a series of distributed denial of service (DDoS) attacks on targets selected by the command-and-control server;
      • Running shell commands, including the theft of personal data;
      • Running remote files and executing commands;
      • Changing the servers the Mac is pointed at;
      • Spoofing and faking IP addresses;
      • Disabling Security and other programs;  
      • Displaying a fake HELP menu, which can cause other malicious programs to be downloaded.

      The worst threat Tsunami poses is using operating power to run DDoS attacks and various shell commands. Taking control of an infected machine and making a Mac vulnerable to other threats and viruses could cause more serious problems down the road. One way or another, this virus needs to be removed.


      How to remove Tsunami manually

      It is possible to remove the Tsunami manually.

      Search for it using Finder, typing usr/sbin in the text field. Next, search for logind — if this is present in that folder, then removing it should solve part of the problem. However, you also need to replace the real “logind” within /System/Library/CoreServices/, which requires some technical skill. It may be necessary to download a program known as TextWrangler to authenticate and edit the file.

      After that is done, search for any other related files and programs and remove them. And anything else that looks suspicious, as the risk of more viruses being on your Mac increases the longer a Trojan is present.

      Be careful when doing this. It can take time, and accidentally removing anything that your Mac needs could cause operating system problems.

      How to remove Tsunami easily with CleanMyMac X

      CleanMyMac X is an invaluable tool for improving the overall performance of your Mac. With just a click, you can remove gigabytes of junk, neutralize malware, and speed up the system. 

      Its Malware Removal tool identifies and deletes thousands of threats, including Tsunami. To remove a Trojan virus this way, all you need to do is:

      1. Download CleanMyMac X.
      2. Open the app.
      3. Choose the Malware Removal tab on the left.
      4. Click Scan to search for infections.
      5. Click Remove to approve the deletion.
      Removing malware files

      That’s it! Just a few clicks, and your Mac is as safe as new!


      Tsunami is not a unique Trojan. Other malware viruses come unexpectedly through legitimate software and apps, often without the company realizing it. Unfortunately, this is one of those cases where software that some people find useful has been hijacked for illegal purposes. Removing it straight away is the only way to safeguard your Mac.

      Laptop with CleanMyMac
      CleanMyMac X

      Your Mac. As good as new.