The cybersecurity landscape has been marked by the emergence of a new, actively developing botnet dubbed Tsundere, specifically engineered to compromise Windows systems. Active since mid-2025, Tsundere’s core functionality is to execute arbitrary JavaScript code fetched remotely from a command-and-control (C2) server. While the exact method of propagation remains unclear, evidence suggests threat actors leverage tactics such as utilizing legitimate Remote Monitoring and Management (RMM) tools to deliver a malicious MSI installer. The naming conventions for the malware components—Valorant, r6x, and cs2—strongly imply that the implant is being distributed through game-related lures, likely targeting users seeking pirated versions of popular titles like Valorant, Rainbow Six Siege, and Counter-Strike 2.
Regardless of whether the infection begins via an MSI installer or a PowerShell script, the primary goal is to deploy Node.js onto the compromised host. The malicious MSI installer proceeds by installing Node.js and launching a loader script that decrypts and executes the main botnet payload. This installer also prepares the environment by using the npm install command to download three legitimate Node.js libraries: ws, ethers, and pm2. The pm2 package is of particular significance as it ensures the Tsundere bot’s persistence and activity, configuring itself to restart the process upon user login by writing to the system registry. The alternative infection vector, a PowerShell script, performs a similar sequence of actions, deploying Node.js and the ws and ethers libraries, and likewise achieving persistence by creating a registry key value to execute the bot upon each login, though it bypasses the use of pm2.
A distinguishing feature of the Tsundere botnet is its innovative approach to C2 infrastructure resilience. The malware utilizes the Ethereum blockchain to dynamically retrieve the WebSocket C2 server address, a mechanism that allows the attackers to easily rotate their infrastructure simply by updating a smart contract created in September 2024. Once the C2 address is retrieved and validated as a WebSocket URL, the bot establishes a connection to receive JavaScript code from the server. This ability to evaluate code makes the bot architecturally simple yet provides immense flexibility and dynamism, enabling botnet administrators to adapt its functionality for a wide range of actions. The operation is facilitated by a control panel that offers a full suite of management tools, including the ability to build new artifacts, manage administrative functions, monitor the number of active bots, use bots for proxying malicious traffic, and even browse a dedicated marketplace for purchasing botnets.
The individuals responsible for the Tsundere botnet are suspected to be Russian-speaking due to the presence of the Russian language within the source code used for logging purposes. Further analysis has revealed functional overlaps with an earlier malicious npm package campaign. Crucially, the same server that hosts the Tsundere C2 panel has also been identified as hosting the control panel for an information stealer known as 123 Stealer, which is offered on a subscription basis for $120 per month. This stealer was advertised on a dark web forum by a threat actor named “koneko” in June 2025.
A clear link to Russian origins is established by a strict rule imposed on 123 Stealer customers: they are forbidden from using the stealer to target Russia and the Commonwealth of Independent States (CIS) countries, with violation resulting in immediate account termination. The use of both MSI and PowerShell infection methods provides the attackers with high flexibility in disguising installers, leveraging phishing, or integrating with other complex attack mechanisms, positioning Tsundere as a formidable and adaptive threat in the current cybersecurity landscape.
Reference:
