Ethical Hacking News
In recent months, a new player has emerged on the threat landscape: Tsundere Botnet, an actively expanding Windows-based botnet that leverages game lures and Ethereum-based command-and-control infrastructure. With its flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, this malware poses a significant risk to users worldwide.
The Tsundere botnet is an actively expanding Windows-based botnet that targets users, leveraging game lures and Ethereum-based command-and-control infrastructure. The malware executes arbitrary JavaScript code retrieved from a C2 server, potentially using social engineering tactics to trick users into downloading and installing it. The botnet uses legitimate tools as conduits to download the malware, suggesting the use of phishing or other social engineering tactics. The malware installs Node.js, which launches a loader script that decrypts and executes the main payload, potentially using game lures to trick users into installing it. The pm2 package ensures the botnet remains active by launching it on each system log-in and configuring itself to restart upon login. The malware also propagates in the form of a PowerShell script, performing similar actions but without using pm2. The Tsundere botnet uses the Ethereum blockchain to fetch details of its WebSocket C2 server, creating a resilient mechanism that allows attackers to rotate their infrastructure. Researchers suspect Russian origins for the malware and its behavior, as well as an associated server hosting a marketplace selling stolen data from a malicious campaign called 123 Stealer.
The threat landscape continues to evolve at a breakneck pace, with new and sophisticated malware campaigns emerging regularly. The latest victim of this trend is the unsuspecting public, as a botnet known as Tsundere has been making waves in the cybersecurity community. According to recent analysis by Kaspersky researchers, Tsundere is an actively expanding botnet that's targeting Windows users, leveraging game lures and Ethereum-based command-and-control (C2) infrastructure.
The malware, which has been active since mid-2025, executes arbitrary JavaScript code retrieved from a C2 server. While the exact propagation methods used by the threat actors behind Tsundere are still unclear, researchers have identified at least one instance where a legitimate Remote Monitoring and Management (RMM) tool was used as a conduit to download an MSI installer file from a compromised site. This suggests that the botnet may be using social engineering tactics to trick users into downloading and installing the malware.
The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also hint at the use of game lures. It's possible that users searching for pirated versions of these games are being targeted. In any case, once a user installs the fake MSI installer, Node.js is installed, and a loader script launches, which decrypts and executes the main botnet-related payload. The script also downloads three legitimate libraries – ws, ethers, and pm2 – using an "npm install" command.
The pm2 package plays a crucial role in ensuring the Tsundere bot remains active and serves to launch the bot on each system log-in by writing to the registry and configuring itself to restart upon login. This persistence mechanism makes the botnet particularly formidable.
Kaspersky's analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies. The PowerShell infector carries out a comparable sequence of actions to those observed in the MSI installer but does not utilize pm2.
Furthermore, Tsundere makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server, creating a resilient mechanism that allows attackers to rotate their infrastructure simply by employing a smart contract. This contract was created on September 23, 2024, and has had 26 transactions to date.
While not much is known about the individual responsible for Tsundere, Kaspersky researchers have discovered clues pointing towards Russian origins in both the source code of the malware and its behavior. Furthermore, an associated server hosting a marketplace selling stolen data from a malicious campaign called 123 Stealer has been identified. The same server was first advertised on June 17, 2025, by a threat actor named "koneko" on a dark web forum.
In conclusion, Tsundere represents the latest development in the ongoing cat-and-mouse battle between cybersecurity researchers and threat actors. Its ability to leverage Ethereum-based C2 and game lures has made it particularly formidable. As with all malware campaigns, awareness is key – understanding how these threats are delivered, what they do, and staying vigilant can help protect users from falling victim.
In recent months, a new player has emerged on the threat landscape: Tsundere Botnet, an actively expanding Windows-based botnet that leverages game lures and Ethereum-based command-and-control infrastructure. With its flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, this malware poses a significant risk to users worldwide.
Related Information:
https://www.ethicalhackingnews.com/articles/Tsundere-Botnet-Expands-A-Complex-Web-of-Ethereum-Based-C2-and-Game-Lures-on-Windows-ehn.shtml
https://thehackernews.com/2025/11/tsundere-botnet-expands-using-game.html
Published: Thu Nov 20 11:52:44 2025 by llama3.2 3B Q4_K_M
