The Tsundere Bot And The Distribution Of Blockchain-Based Malware
In late 2025 and early 2026, cybersecurity researchers observed a significant shift in how sophisticated threat actors establish initial access and maintain resilient command infrastructure. At the center of this evolution is a malware strain, known as Tsundere Bot, which has rapidly emerged as a modular, blockchain-enabled platform used by prolific adversaries such as TA584 to support ransomware and other post-compromise operations.
Beyond the use of Tsundere, attackers are increasingly exploiting public blockchain technologies, especially Ethereum and Binance Smart Chain, to host malicious code and evade traditional takedown mechanisms. These developments demonstrate how threat groups are innovating both their tooling and distribution tactics to outmaneuver modern defensive controls.
Security analysts at Kaspersky Labs first documented Tsundere Bot in mid-2025. Initially linked to a supply-chain campaign in which malicious Node.js packages were typo-squatted in public repositories, the threat has quickly matured into a more structured botnet targeting Windows endpoints.
Researchers have traced the botnet's development to a Russian-speaking threat actor known as "koneko," who has a history of selling malware tools such as the 123 Stealer on underground forums. Tsundere builds upon that pedigree, incorporating advanced capabilities that extend far beyond simple credential theft.
At its core, Tsundere is a Node.js-based botnet that utilizes legitimate JavaScript runtimes on infected hosts. Once executed, the malware contacts a decentralized command-and-control (C2) server to retrieve its C2 addresses from the Ethereum blockchain.
It leverages a technique in which smart contracts host WebSocket server endpoints, enabling the botnet to retrieve, rotate, and fallback to C2 servers without relying on traditional centralized infrastructure. This approach increases resilience against takedown attempts by law enforcement or security teams. The bot itself runs stealthily and flexibly.
After deployment, it establishes encrypted WebSocket connections to its C2 servers and can execute arbitrary JavaScript code as instructed by the operator. This architectural choice allows threat actors to dynamically tailor the bot's actions, making it suitable for information gathering, lateral movement, data exfiltration, and additional payload installation.
Researchers have not identified all potential uses for this dynamic execution model, but its on-demand adaptability distinguishes it from more static malware frameworks.
TA584's Adoption of Tsundere Accelerates Initial Access Campaigns
TA584, a well-known initial access broker that has operated since at least 2020, began using Tsundere Bot in November 2025. According to Proofpoint researchers, in a recently published blog article, the group employed Tsundere alongside its existing arsenal, which includes payloads like XWorm, Ursnif, and Cobalt Strike, to expand its foothold in targeted networks.
Researchers documented that TA584's overall activity surged in late 2025, with campaign volume tripling compared to earlier in the year and geographic targeting expanding from North America, the UK, and Ireland to include various European countries and Australia.
TA584's campaigns follow a well-orchestrated chain of events that begins with phishing emails sent from hundreds of compromised accounts delivered via third-party email services. These messages include unique URLs and geofencing filters to ensure they reach only viable targets. Anyone who clicks through is often redirected through benign traffic platforms until they reach a CAPTCHA page.
Upon passing these checks, victims are presented with a page instructing them to run a PowerShell command. That command executes an obfuscated script that eventually loads either XWorm or Tsundere into memory, while redirecting the browser to a harmless website to avoid raising suspicion.
Once Tsundere is resident on a system, its ability to communicate via dynamic JavaScript and retrieve commands from a decentralized infrastructure gives TA584 a persistent foothold on the compromised host.
The malware also collects system metadata, including CPU, username, operating system, and volume identifiers, to generate a unique victim ID. Analysts believe such profiling allows tailored lateral movement and automated reconnaissance tasks that build context for further exploitation.
Despite its sophistication, Tsundere also incorporates rudimentary evasion logic: it checks the system's locale during execution and aborts if it detects languages associated with CIS (Commonwealth of Independent States) regions. This is likely a deliberate tactic by its operators to avoid scrutiny or disruption by local authorities.
Tsundere is not the sole example of how threat actors have begun to weaponize blockchain technology. Cybercriminals have already leveraged public decentralized ledgers, particularly Binance Smart Chain (BSC) contracts, to hide malicious scripts and facilitate persistent distribution channels.
Known as EtherHiding, this technique abuses smart contract storage to embed JavaScript payloads that can be retrieved by compromised clients. Traditional hosting sources like Cloudflare Workers or dedicated web hosts can be taken down or blocked, but smart contracts on a public blockchain are immutable and accessible as long as the network exists, making this a highly resilient mechanism for threat delivery.
The convergence of malware-as-a-service frameworks with decentralized command infrastructure complicates traditional defense strategies. Detecting malicious use of blockchain typically requires monitoring outbound RPC calls, smart contract interactions, and suspicious patterns in how endpoints reach decentralized networks.
Static indicators such as IP addresses or domain names are less effective when attackers shift their infrastructure to Web3 platforms, where C2 endpoints can be encoded in contract state variables.
Organizations are urged to adopt multi-layered defenses that include both social engineering mitigation and anomaly detection to identify unusual blockchain interactions originating from corporate networks. Email security remains a frontline defense against phishing campaigns that deliver initial access payloads, such as Tsundere.
Endpoint detection and response (EDR) tools that monitor unusual PowerShell or Node.js activity can help intercept unauthorized execution.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion