A Russian-speaking risk actor attributed to the username “koneko” has resurfaced with a classy new botnet named Tsundere, found by Kaspersky GReAT round mid-2025.
This marks a big evolution from a earlier provide chain marketing campaign that focused Node.js builders in October 2024, revealing disturbing parallels in methodology and infrastructure.
Utilizing typosquatting methods registering bundle names almost similar to reputable libraries the attacker distributed 287 malicious Node.js packages by way of npm.
The October 2024 marketing campaign demonstrated the risk actor’s preliminary proof-of-concept for compromising the JavaScript ecosystem.
Widespread targets included Puppeteer, Bignum.js, and numerous cryptocurrency packages, affecting Home windows, Linux, and macOS customers throughout the developer neighborhood.
The unpackaging script is chargeable for recreating this construction, together with the node_modules listing with all its libraries, which comprises packages mandatory for the malware to run.
The marketing campaign was short-lived, deserted after detection, however it offered essential perception into the attacker’s capabilities.
New Botnet, Expanded Scope
Tsundere represents a matured model of this risk. Somewhat than relying solely on provide chain compromise, the botnet employs a number of an infection vectors together with MSI installers disguised as common video games (Valorant, CS2, R6X) and PowerShell scripts.
Preliminary discovery of 1 implant traced again to a Distant Monitoring and Administration (RMM) software that downloaded a suspicious PDF.msi file, demonstrating the risk actor’s willingness to use reputable instruments for malware distribution.
The MSI installer technique proved remarkably efficient, bundling Node.js executables with malicious JavaScript information that run within the background.
The installer executes by way of Home windows Installer CustomAction desk, spawning hidden Node.js processes that load encrypted bot scripts utilizing AES-256-CBC encryption.
The PowerShell variant equally downloads Node.js from official repositories, making a facade of legitimacy whereas deploying similar performance.
What distinguishes Tsundere is its use of Ethereum sensible contracts for command-and-control infrastructure resilience.
Somewhat than counting on conventional domains weak to takedown, the botnet shops WebSocket C2 addresses on the Ethereum blockchain utilizing pockets 0x73625B6cdFECC81A4899D221C732E1f73e504a32 and contract 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b.
This method permits operators to rotate C2 servers at will with out DNS-level interruption.
Contaminated machines question public Ethereum RPC endpoints to retrieve the present C2 deal with, establishing encrypted WebSocket connections for command execution.
The botnet employs dynamic JavaScript code analysis, enabling operators to deploy arbitrary performance by way of the C2 panel.
Market Mannequin and Infrastructure
The Tsundere management panel options an open-registration system permitting any consumer to construct customized bots, create malware variants, and provide companies on an built-in market.
The panel integrates Monero pockets performance, SOCKS proxy capabilities, and a Construct system for producing distinctive bot variants. On the time of research, 90-115 bots maintained lively connections.
Attribution proof hyperlinks Tsundere to the 123 Stealer (a business stealer obtainable for $120 month-to-month) by way of shared infrastructure, with each threats working from the identical backend servers.
The risk actor’s profile on darkish net boards listed the title “node malware senior,” reinforcing experience in Node.js-based malware improvement.
With Tsundere infrastructure actively responding to bot connections and the underlying risk actor concurrently selling extra malware, safety researchers anticipate this risk to escalate reasonably than diminish.
Organizations ought to monitor for associated threats and implement strong provide chain safety practices to mitigate the danger posed by this evolving botnet household.
Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
