Full Report
Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that's targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated;
Analysis Summary
# Tool/Technique: Tsundere Botnet
## Overview
Tsundere is an actively expanding botnet targeting Windows users, first observed in mid-2025. Its primary function is to retrieve and execute arbitrary JavaScript code received from a Command-and-Control (C2) infrastructure. The botnet operators utilize a control panel to manage infected hosts, potentially leveraging them as proxies or selling access on a marketplace. A notable feature is its reliance on the Ethereum blockchain to host and rotate C2 server locations.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Windows
- Capabilities: Execute arbitrary JavaScript, maintain persistence, establish WebSocket C2 communication.
- First Seen: Mid-2025
## MITRE ATT&CK Mapping
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied via PowerShell/MSI execution)
- T1547 - Boot or Logon Autostart Execution: Persistence mechanisms deployed via registry keys.
- T1071 - Application Layer Protocol: Exploiting standard protocols for C2 communication.
- T1071.001 - Web Protocols (Uses WebSocket for C2)
## Functionality
### Core Capabilities
- **Arbitrary Code Execution:** Retrieves and runs JavaScript code dynamically from the C2 server, providing high flexibility.
- **Decoy Installation:** Uses fake MSI installers, often disguised with game names (Valorant, r6x, cs2), to trick users into installation.
- **Dependency Loading:** Deploys Node.js along with required libraries (`ws`, `ethers`, `pm2` via `npm install`) to build the execution environment.
### Advanced Features
- **Ethereum-Based C2:** Fetches C2 WebSocket server details from a specific Ethereum smart contract, allowing operators to quickly rotate infrastructure without updating the malware on infected hosts.
- **Persistence Mechanism (MSI Variant):** Utilizes the `pm2` package specifically to ensure the bot remains active by writing to the Windows Registry and re-launching the process upon user login.
- **Persistence Mechanism (PowerShell Variant):** Creates a specific registry key value to ensure self-execution upon every login.
- **Botnet Management Panel:** Offers features for building new artifacts, managing bots, enabling proxy functionality, and operating a marketplace for botnet access.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the text)
- File Names: Implants named after games (Valorant, r6x, cs2) suggest decoy artifacts.
- Registry Keys: Used for persistence across reboots/logins (details specific keys not provided, but the mechanism is confirmed).
- Network Indicators: C2 retrieval via WebSocket URLs potentially found at:
- `ws://193.24.123[.]68:3011` (Defanged)
- `ws://185.28.119[.]179:1234` (Defanged)
- Behavioral Indicators: Execution chain involving installation of Node.js, running `npm install` for `ws`, `ethers`, and `pm2`, and establishing WebSocket connections. Deployment via legitimate RMM tools is also noted.
## Associated Threat Actors
- Unknown threat actor(s) exhibiting Russian language artifacts in source code, suggesting a Russian-speaking background.
- Functional overlaps noted with a malicious npm campaign documented in November 2024.
- Shares infrastructure (C2 server) with the **123 Stealer** malware, advertised by actor "koneko."
## Detection Methods
- Signature-based detection: Looking for the presence of specific Node.js libraries (`ws`, `ethers`, `pm2`) deployed outside of expected development environments.
- Behavioral detection: Monitoring for the execution chain involving installation of Node.js packages via `npm install` followed by the establishment of outbound WebSocket connections to potentially malicious IPs.
- YARA rules if available: N/A (Not provided in the text)
## Mitigation Strategies
- **Supply Chain Security:** Exercise extreme caution with MSI installers obtained from unverified sources, especially those advertised through tempting lures (e.g., pirated game content).
- **Application Whitelisting:** Restrict the execution of potentially malicious scripts or binaries like Node.js if not required for business operations.
- **Network Monitoring:** Monitor for outbound WebSocket protocol traffic aimed at known high-risk IPs or internal behavior indicative of C2 beaconing.
- **RMM Hardening:** Review and secure Remote Monitoring and Management tools, as they are leveraged as initial conduits for downloading secondary stages.
## Related Tools/Techniques
- 123 Stealer: Shares associated C2 infrastructure.
- Malicious npm campaigns: Exhibits functional overlap with campaigns using suspicious dependency installations.