Tsundere Botnet Expands Using Game Lures And Ethereum-based C2 On...
Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that's targeting Windows users.
Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today.
There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site.
The names given to the malware artifacts – Valorant, r6x (Rainbow Six Siege X), and cs2 (Counter-Strike 2) – also suggest that the implant is likely being disseminated using lures for games. It's possible that users searching for pirated versions of these games are the target.
Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that's responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an "npm install" command.
"The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot," Ubiedo explained. "Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login."
Kaspersky's analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies.
While the PowerShell infector doesn't make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new instance of itself.
The Tsundere botnet makes use of the Ethereum blockchain to fetch details of the WebSocket C2 server (e.g., ws://193.24.123[.]68:3011 or ws://185.28.119[.]179:1234), creating a resilient mechanism that allows the attackers to rotate the infrastructure simply by employing a smart contract. The contract was created on September 23, 2024, and has had 26 transactions to date.
Once the C2 address is retrieved, it checks to ensure it is a valid WebSocket URL, and then proceeds to establish a WebSocket c
Source: The Hacker News
