Cybersecurity researchers have warned that a botnet called “Tsundere” targeting Windows users is actively expanding.
Kaspersky researcher Lisandro Uviedo said in an analysis published today that the threat has been active since mid-2025 and is designed to execute arbitrary JavaScript code retrieved from command-and-control (C2) servers.
Details about how botnet malware is propagated are currently unknown. However, in at least one case, the attackers behind this operation allegedly used legitimate remote monitoring and management (RMM) tools as a conduit to download MSI installer files from a compromised site.
The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant may be spread using gaming lures. Users looking for pirated versions of these games may be targeted.
Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that is responsible for decrypting and executing the main botnet-related payload. Also, use the ‘npm install’ command to prepare the environment by downloading three official libraries: ws, ethers, and pm2.
“The pm2 package is installed to ensure that the Tsundere bot remains active and is used to launch the bot,” Uviedo explained. “In addition, pm2 achieves persistence on the system by writing to the registry and configuring the process to restart on login.”
Kaspersky Lab’s analysis of the C2 panel revealed that the malware also propagates in the form of PowerShell scripts. This script performs a similar set of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies.
PowerShell infectors do not leverage pm2, but perform the same actions observed in MSI installers by creating registry key values. This will spawn a new instance of the bot itself and cause it to run on every login.
Tsundere botnet leverages the Ethereum blockchain to obtain WebSocket C2 server details (e.g. ws://193.24.123)[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows attackers to rotate infrastructure simply by employing smart contracts. This contract was created on September 23, 2024 and has resulted in 26 transactions to date.
Once the C2 address is obtained, it verifies that it is a valid WebSocket URL, proceeds to establish a WebSocket connection with the specific address, and receives the JavaScript code sent by the server. Kaspersky said that no subsequent commands from the server were observed during the observation period.
“The ability to evaluate the code makes Tsundere bots relatively simple, but they also have flexibility and dynamism that allows botnet administrators to adapt them to a wide range of actions,” Kaspersky said.
Botnet operations are facilitated by a control panel where logged-in users can use MSI or PowerShell to build new artifacts, manage administrative functions, view the number of bots at any given time, convert bots into proxies for routing malicious traffic, and browse and purchase botnets through a dedicated marketplace.
It’s unclear exactly who is behind Tsundere, but the presence of Russian in the source code for logging purposes suggests a Russian-speaking attacker. This activity has been assessed to be functionally duplicated with a malicious npm campaign documented by Checkmarx, Phylum, and Socket in November 2024.
Additionally, the same server has been identified as hosting a C2 panel associated with the information stealer known as 123 Stealer, which is available on a $120 per month subscription basis. According to Outpost24’s KrakenLabs team, it was first promoted by a threat actor named “koneko” on a dark web forum on June 17, 2025.
Another clue to its Russian origins is that customers are prohibited from using the stealer to target Russia and Commonwealth of Independent States (CIS) countries. “Violating this rule will result in your account being immediately blocked without explanation,” Koneko said in a post at the time.
“Infections can occur via MSI or PowerShell files, which are flexible enough to impersonate installers, serve as phishing entry points, or integrate with other attack mechanisms, making them even more of a formidable threat,” Kaspersky said.
Source link
