Nov 20, 2025Ravie LakshmananBotnet / Malware
Cybersecurity researchers have warned of an actively increasing botnet dubbed Tsundere that is concentrating on Home windows customers.
Lively since mid-2025, the menace is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo stated in an evaluation revealed at the moment.
There are presently no particulars on how the botnet malware is propagated; nonetheless, in no less than one case, the menace actors behind the operation are stated to have leveraged a authentic Distant Monitoring and Administration (RMM) device as a conduit to obtain an MSI installer file from a compromised website.
The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – additionally recommend that the implant is probably going being disseminated utilizing lures for video games. It is attainable that customers trying to find pirated variations of those video games are the goal.
Whatever the methodology used, the faux MSI installer is designed to put in Node.js and launch a loader script that is liable for decrypting and executing the principle botnet-related payload. It additionally prepares the surroundings by downloading three authentic libraries, particularly, ws, ethers, and pm2, utilizing an “npm set up” command.
“The pm2 package deal is put in to make sure the Tsundere bot stays lively and used to launch the bot,” Ubiedo defined. “Moreover, pm2 helps obtain persistence on the system by writing to the registry and configuring itself to restart the method upon login.”
Kaspersky’s evaluation of the C2 panel has revealed that the malware can be propagated within the type of a PowerShell script, which performs an analogous sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies.
Whereas the PowerShell infector would not make use of pm2, it carries out the identical actions noticed within the MSI installer by making a registry key worth that ensures the bot is executed on every login by spawning a brand new occasion of itself.
The Tsundere botnet makes use of the Ethereum blockchain to fetch particulars of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), making a resilient mechanism that enables the attackers to rotate the infrastructure just by using a sensible contract. The contract was created on September 23, 2024, and has had 26 transactions so far.
As soon as the C2 deal with is retrieved, it checks to make sure it’s a legitimate WebSocket URL, after which proceeds to determine a WebSocket reference to the particular deal with and obtain JavaScript code despatched by the server. Kaspersky stated it didn’t observe any follow-up instructions from the server throughout the statement interval.
“The power to guage code makes the Tsundere bot comparatively easy, however it additionally supplies flexibility and dynamism, permitting the botnet directors to adapt it to a variety of actions,” Kaspersky stated.
The botnet operations are facilitated by a management panel that enables logged-in customers to construct new artifacts utilizing MSI or PowerShell, handle administrative capabilities, view the variety of bots at any given level of time, flip their bots right into a proxy for routing malicious visitors, and even browse and buy botnets through a devoted market.
Precisely who’s behind Tsundere just isn’t recognized, however the presence of the Russian language within the supply code for logging functions alludes to a menace actor who’s Russian-speaking. The exercise is assessed to share useful overlaps with a malicious npm marketing campaign documented by Checkmarx, Phylum, and Socket in November 2024.
What’s extra, the identical server has been recognized as internet hosting the C2 panel related to an data stealer often known as 123 Stealer, which is on the market on a subscription foundation for $120 per 30 days. It was first marketed by a menace actor named “koneko” on a darkish internet discussion board on June 17, 2025, per Outpost24’s KrakenLabs Workforce.
One other clue that factors to its Russian origins is that the shoppers are forbidden from utilizing the stealer to focus on Russia and the Commonwealth of Impartial States (CIS) international locations. “Violation of this rule will end result within the speedy blocking of your account with out clarification,” Koneko stated within the publish on the time.
“Infections can happen by MSI and PowerShell recordsdata, which give flexibility when it comes to disguising installers, utilizing phishing as a degree of entry, or integrating with different assault mechanisms, making it an much more formidable menace,” Kaspersky stated.
