Botnet Targets Windows Users
Cybersecurity researchers report that Tsundere is an expanding botnet aimed at Windows systems. They note that it has grown quickly since mid-2025. Moreover, the botnet executes JavaScript code sent from a remote server. Therefore, it gives attackers a flexible way to run harmful commands.
Suspicious Installation Paths and Game-Themed Lures
Researchers still do not know the full infection path. However, one case shows attackers using a legitimate remote management tool to fetch a malicious MSI file. The file came from a compromised site. Therefore, users who trust such tools may unknowingly install the malware.
The malware files also use game-related names to attract victims. For example, the implants mimic popular shooter titles. This tactic likely targets people searching for pirated games. As a result, many users may install the threat without realizing it.
How the Fake Installer Works
The fake MSI installer sets up Node.js on the machine. It then launches a loader script. This script decrypts and runs the core botnet payload. Moreover, it downloads three legitimate libraries using a simple command. These libraries support WebSocket communication, Ethereum functions, and process management.
According to one report, the pm2 library keeps the bot active. It also stores registry entries to restart the bot after login. Therefore, Tsundere maintains persistence even after system restarts.
PowerShell Variant and Startup Persistence
The botnet also spreads using a PowerShell script. This script installs Node.js as well. It downloads the same key libraries except pm2. However, it still creates a registry entry to ensure the bot runs during each login. This gives the attackers a second infection channel.
Using Ethereum for Resilient C2 Communication
Tsundere uses the Ethereum blockchain to hide its control servers. It retrieves WebSocket addresses from a smart contract created in 2024. Therefore, attackers can rotate servers without losing control. Once the bot gets an address, it verifies the URL and opens a connection. Researchers did not observe follow-up commands, but the framework allows dynamic updates.
Flexible Control Panel and Marketplace Features
The botnet includes a control panel for operators. It lets them build new malware samples, manage bots, and enable proxy features. Furthermore, they can browse and purchase botnets through a dedicated marketplace. This system increases the threat’s reach.
Possible Connection and Related Threats
Experts cannot confirm who created Tsundere. However, Russian-language logs suggest a Russian-speaking actor. The activity overlaps with a previous malicious npm campaign documented by several research groups.
The same server also hosts a known information stealer. A threat actor sold it through dark web forums and restricted its use against Russia and CIS nations. Therefore, the link strengthens the belief in a Russian origin.
Researchers warn that Tsundere infections may come from MSI files, PowerShell scripts, and phishing. These options give attackers many entry points. Therefore, the botnet represents a significant and evolving risk.
How to Prevent Tsundere Botnet Attacks
Users should avoid downloading unofficial game installers and always verify software sources. They should also enable proactive monitoring tools that can detect unusual scripts and block harmful processes. In addition, professional security services can provide continuous threat scanning and automated response systems to stop suspicious activity before it spreads.
Sleep well, we got you covered.
