Executive Summary

The Tsundere botnet represents a significant evolution in Windows malware, combining advanced evasion techniques with innovative command-and-control (C2) infrastructure. Since mid-2025, this botnet has rapidly expanded by leveraging fake game installers as lures and utilizing the Ethereum blockchain to store and rotate its C2 addresses. This approach not only complicates traditional takedown efforts but also demonstrates a growing trend of cybercriminals exploiting decentralized technologies for operational resilience. The campaign is attributed to a Russian-speaking threat actor known as koneko, who has a history of distributing 123 Stealer and other Node.js-based malware. The Tsundere botnet is distributed primarily through malicious MSI and PowerShell installers masquerading as popular games such as Valorant, CS2, and R6X. Once executed, the malware establishes persistence, collects system information, and maintains encrypted communication with its C2 via WebSocket endpoints dynamically referenced from Ethereum smart contracts. The botnet’s modular architecture, robust marketplace, and use of blockchain for C2 agility mark it as a critical threat to Windows environments globally.

Threat Actor Profile

The primary operator behind the Tsundere botnet is identified as koneko, a Russian-speaking cybercriminal with a documented history in the development and distribution of Node.js-based malware, including the 123 Stealer. Koneko is known for leveraging underground forums and Telegram channels to market malware-as-a-service (MaaS) offerings, providing open registration for other threat actors via the Tsundere Netto control panel. This panel enables affiliates to generate custom builds, manage infected hosts, and monetize access through integrated cryptocurrency wallets, including Monero. The actor demonstrates technical sophistication, particularly in the use of decentralized infrastructure for C2, and operational security by avoiding infections in CIS-region systems through locale checks. The infrastructure and codebase overlap with previous 123 Stealer campaigns, indicating a shared development lineage and a focus on maximizing botnet resilience and profitability.

Technical Analysis of Malware/TTPs

The Tsundere botnet employs a multi-stage infection process, beginning with the distribution of malicious MSI and PowerShell installers. These installers are often disguised as legitimate game setup files and are propagated through piracy forums, compromised websites, and, in some cases, via Remote Monitoring and Management (RMM) tools. The MSI installer packages both legitimate Node.js binaries and obfuscated JavaScript payloads, deploying them to %APPDATA%\Local\NodeJS. The PowerShell variant downloads Node.js from the official source, decrypts the bot payload, and establishes persistence.

Persistence is achieved by creating a registry entry under HKCU:\Software\Microsoft\Windows\CurrentVersion\Run, pointing to the malicious Node.js or PowerShell script. The malware leverages the pm2 Node.js process manager to ensure continuous operation and automatic restart upon user login.

For C2 communication, the botnet utilizes WebSocket connections to endpoints whose addresses are stored and rotated within an Ethereum smart contract (contract address: 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b). The bot queries public Ethereum RPC endpoints to retrieve the current C2 address, which is updated by the operator through blockchain transactions. This method provides a resilient and censorship-resistant mechanism for C2 address distribution.

Upon execution, the bot establishes an encrypted WebSocket session with the C2, exchanging an AES key and initialization vector (IV) for secure communication. It exfiltrates system information, including MAC address, RAM, GPU, and other hardware details. The C2 can issue arbitrary JavaScript commands (message ID=1), which the bot executes and returns the results, maintaining a persistent, encrypted channel through periodic ping/pong messages.

The Tsundere Netto control panel (version 2.4.4) offers a comprehensive suite of features for threat actors, including a bot dashboard, build system for MSI and PowerShell payloads, a marketplace for botnet services, Monero wallet integration, and a SOCKS proxy service. Each build is uniquely tagged to the affiliate who generated it, facilitating tracking and revenue sharing.

Exploitation in the Wild

Since July 2025, the Tsundere botnet has maintained a steady presence, with telemetry indicating 90 to 115 active bots connected at any given time. The primary infection vector remains fake game installers, which are distributed through high-traffic piracy forums and compromised websites targeting users seeking unauthorized software. There is evidence that some infections have occurred via RMM tools, suggesting opportunistic targeting of less-secure enterprise environments.

The malware explicitly avoids infecting systems with Russian or CIS-region locales, reflecting the operator’s intent to evade local law enforcement scrutiny. Victims are predominantly individual Windows users, particularly those engaged in gaming and software piracy communities, though the indiscriminate nature of the lures means that enterprise endpoints are not immune.

The threat actor koneko continues to actively market access to the botnet and custom builds through the Tsundere Netto panel, with infrastructure and codebase overlap observed in concurrent 123 Stealer campaigns. The use of Ethereum-based C2 rotation has so far thwarted conventional takedown efforts, and the botnet’s modular design allows for rapid adaptation and expansion.

Victimology and Targeting

The Tsundere botnet primarily targets Windows users worldwide, with a focus on individuals seeking pirated games and software. The infection campaign is opportunistic rather than sector-specific, but the use of game-themed lures has resulted in a disproportionate impact on the gaming community and younger demographics. There is no evidence of targeted attacks against specific industries or organizations; however, the use of RMM tools as a secondary vector raises concerns about potential lateral movement within enterprise environments.

The malware’s locale check ensures that systems configured for Russian or CIS-region languages are excluded from infection, a common tactic among Russian-speaking cybercriminals to avoid domestic prosecution. The global distribution of victims, combined with the botnet’s ability to execute arbitrary code, presents a persistent risk to both individual users and organizations with insufficient endpoint controls.

Mitigation and Countermeasures

Organizations and individuals should implement a multi-layered defense strategy to mitigate the risk posed by the Tsundere botnet. Key recommendations include:

Vigilantly monitor for suspicious MSI or PowerShell scripts, especially those referencing popular games or originating from untrusted sources. Unusual Node.js installations in %APPDATA%\Local\NodeJS should be investigated, as this is a hallmark of Tsundere infections. Network monitoring should be configured to detect outbound WebSocket connections to known C2 IPs and ports, including 185.28.119.179:1234, 196.251.72.192:1234, 103.246.145.201:1234, 193.24.123.68:3011, and 62.60.226.179:3001. Endpoint detection and response (EDR) solutions should be tuned to flag registry modifications to HKCU:\Software\Microsoft\Windows\CurrentVersion\Run that reference Node.js or PowerShell scripts.

Security teams should proactively hunt for the provided file hashes and C2 endpoints in endpoint and network logs, and investigate any unusual npm package installations or Node.js process activity. Blocking access to public Ethereum RPC endpoints may disrupt the botnet’s ability to retrieve updated C2 addresses, though this may have collateral impact on legitimate blockchain applications.

User education remains critical; organizations should reinforce the dangers of downloading software from untrusted sources and the risks associated with software piracy. Regular patching, least-privilege access controls, and application whitelisting can further reduce the attack surface.

References

Kaspersky Securelist: Blockchain and Node.js abused by Tsundere: an emerging botnet (Nov 2025) – https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/

The Hacker News: Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows – https://thehackernews.com/2025/11/tsundere-botnet-expands-using-game.html

Kaspersky Press Release: Cute but deadly: Kaspersky reveals the Tsundere botnet – https://www.kaspersky.com/about/press-releases/cute-but-deadly-kaspersky-reveals-the-tsundere-botnet-that-plays-hot-and-cold-with-windows-users

Cyber News Live on X – https://x.com/cybernewslive/status/1991715027322098099

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and business operations.

For further information or to discuss custom detection rules, we are happy to answer questions at ops@rescana.com.