Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that’s targeting Windows users.
Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today.
There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site.
The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using lures for games. It’s possible that users searching for pirated versions of these games are the target.
Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that’s responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an “npm install” command.
“The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot,” Ubiedo explained. “Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.”
Kaspersky’s analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies.
While the PowerShell infector doesn’t make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new instance of itself.
The Tsundere botnet makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows the attackers to rotate the infrastructure simply by employing a smart contract. The contract was created on September 23, 2024, and has had 26 transactions to date.
Once the C2 address is retrieved, it checks to ensure it is a valid WebSocket URL, and then proceeds to establish a WebSocket connection with the specific address and receive JavaScript code sent by the server. Kaspersky said it did not observe any follow-up commands from the server during the observation period.
“The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions,” Kaspersky said.
The botnet operations are facilitated by a control…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
