MalwareUsed by 2 actorsExploits 1 CVE

Tsundere Botnet

Tsundere Botnet is a JavaScript-based malware family and remote access tool first documented by Kaspersky in mid-2025 and publicly described in late 2025. It is associated in reporting with Russian-speaking actor "koneko," and multiple sources later linked related activity and infrastructure to the Iranian MOIS-linked espionage group MuddyWater (also tracked as Seedworm, Static Kitten, Mango Sandstorm, Earth Vetala, and TA450). The malware relies on trusted scripting runtimes rather than conventional compiled implants, with observed Node.js-based payloads and a Deno-based variant named DinDoor.

Reported capabilities include execution of obfuscated JavaScript payloads, host fingerprinting, command-and-control communications, retrieval of additional payloads, and use as a backdoor/RAT. DinDoor, described as a variant of Tsundere Botnet, abuses the legitimate Deno runtime and MSI installers to evade detection, can execute JavaScript entirely in memory, binds a localhost TCP listener as a mutex, fingerprints victims using username, hostname, memory, and OS release, and communicates with C2 over HTTP. Tsundere Botnet infrastructure has also been described as using Ethereum smart contracts as a dead-drop resolver for resilient C2 discovery; reported smart contract addresses include 0x2B77671cfEE4907776a95abbb9681eee598c102E and 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, with getString() used to resolve C2 servers. Historical WebSocket/C2 infrastructure mentioned in the reporting includes 185.236.25.119, 193.17.183.126, and the domain serialmenot[.]com.

Observed delivery and execution chains include heavily obfuscated PowerShell loaders and MSI-based installers delivered via phishing emails or malicious drive-by downloads. One reported Tsundere dropper was reset.ps1, a 2.2 MB obfuscated PowerShell script found on MuddyWater infrastructure. DinDoor samples were reported as downloading deno.exe from dl.deno[.]land, then executing base64-decoded JavaScript. Specific sample hashes mentioned for DinDoor are 7b793c54a927da36649eb62b9481d5bcf1e9220035d95bbfb85f44a6cc9541ae (migcredit.pdf.msi) and 2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 (Installer_v1.21.66.msi).

The malware has been discussed in the context of both cybercrime and state-linked operations. Reporting describes overlap with MuddyWater tradecraft, including use from exposed MuddyWater infrastructure and overlap with Wasabi/Rclone-based access and exfiltration workflows. DinDoor activity was linked by Broadcom to Seedworm/MuddyWater targeting organizations in the United States, while broader MuddyWater reporting placed related operations against targets in Israel, Jordan, Egypt, the UAE, Portugal, and the United States. Additional reporting notes infrastructure overlap with multi-tenant or shared criminal platforms, including serialmenot[.]com and behavioral overlap with CastleLoader/FakeSet ecosystems. A headline also described Tsundere Botnet as using Node.js malware, Ethereum smart-contract-based "unkillable" C2, and operating a cybercrime marketplace, with DDoS-related tagging.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2020-0796SMBGhost

The file reset.ps1 on MuddyWater's server is not MuddyWater malware. It is a Tsundere Botnet dropper -- a 2.2 MB heavily obfuscated PowerShell script attributed by Kaspersky GReAT to Russian-speaking threat actor "koneko."

via breakglass intelintel.breakglass.tech

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

MuddyWater

Within the server, we identified that MuddyWater had staged a PowerShell loader, reset.ps1. The PowerShell loader will lead to execution of obfuscated Node.js payloads that appear similar to Tsundere Botnet.

via ctrlaltintel blogctrlaltintel.com

koneko

via breakglass intelintel.breakglass.tech

MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1587.001MalwareEvidence1

Ctrl-Alt-Intel managed to retrieve multiple C2 server binaries... KeyC2... PersianC2... ArenaC2.

Initial Access

2 techniques

T1189Drive-by CompromiseEvidence1

DinDoor is delivered to victims through phishing emails or malicious drive-by downloads disguised as MSI files.

T1566PhishingEvidence2

DinDoor is delivered to victims through phishing emails or malicious drive-by downloads disguised as MSI files.

Execution

3 techniques

T1059.001PowerShellEvidence1

Within the server, we identified that MuddyWater had staged a PowerShell loader, reset.ps1... The PowerShell loader will lead to execution of obfuscated Node.js payloads.

T1059.007JavaScriptEvidence3

The Node.js script VfZUSQi6oerKau.js is used to establish persistence... trigger execution of the main bot, sysuu2etiprun.js.

T1204.002Malicious FileEvidence1

MITRE ATT&CK Mapping Technique ID Name Evidence T1204.002 Malicious File Fake game installers (Valorant, CS2), MSI payloads

Persistence

2 techniques

T1112Modify RegistryEvidence1

MITRE ATT&CK Mapping Technique ID Name Evidence T1112 Modify Registry Tsundere persistence via registry keys

T1547.001Registry Run Keys / Startup FolderEvidence3

The Node.js script VfZUSQi6oerKau.js is used to establish persistence via the creation of a Run key.

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence3

The Node.js script VfZUSQi6oerKau.js is used to establish persistence via the creation of a Run key.

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence3

The PowerShell loader will lead to execution of obfuscated Node.js payloads... Embedded within the PowerShell loader are AES-CBC/PKCS7 encrypted blobs.

T1140Deobfuscate/Decode Files or InformationEvidence1

Embedded within the PowerShell loader are AES-CBC/PKCS7 encrypted blobs, which are decrypted and written to disk

T1497.001System ChecksEvidence1

MITRE ATT&CK Mapping Technique ID Name Evidence T1497.001 System Checks Tsundere CIS locale check (avoids Russian systems)

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

MITRE ATT&CK Mapping Technique ID Name Evidence T1112 Modify Registry Tsundere persistence via registry keys

Discovery

1 technique

T1497.001System ChecksEvidence1

MITRE ATT&CK Mapping Technique ID Name Evidence T1497.001 System Checks Tsundere CIS locale check (avoids Russian systems)

Command and Control

5 techniques

T1071Application Layer ProtocolEvidence1

Tsundere Botnet Uncovered: Node.js Malware Uses Ethereum Smart Contract for Unkillable C2

T1071.001Web ProtocolsEvidence2

PersianC2 used standard HTTP polling... This bot communicates over WebSocket to retrieve commands.

T1102Web ServiceEvidence1

MITRE ATT&CK Mapping Technique ID Name Evidence T1102 Web Service Ethereum blockchain for C2 resolution

T1102.001Dead Drop ResolverEvidence1

This sample uses Ethereum smart contracts in order to retrieve the C2 servers... call the getString() function on the smart contract.

T1105Ingress Tool TransferEvidence1

"use of rclone to access a Wasabi server"

Impact

1 technique

T1498Network Denial of ServiceEvidence1

Ddos

INDICATORS OF COMPROMISE

IOCs tracked for this family

69 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

59 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app15 days ago

domain●●●●●●●●●●●●View more in app26 days ago

ip.v4●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cyber security newsNews

Apr 22, 2026

New DinDoor Backdoor Abuses Deno Runtime and MSI Installers to Evade Detection

Botnet family that DinDoor is described as a variant of.

huntio blogNews

Apr 21, 2026

DinDoor Backdoor: Deno Runtime Abuse and 20 Active C2 Servers

A JavaScript-based remote access tool/botnet using Node.js, described as the broader malware family or umbrella under which DinDoor is tracked as a variant.

the hacker newsNews

Mar 28, 2026

Iran-Linked Hackers Breach FBI Director’s Personal Email, Hit Stryker With Wiper Attack

Botnet used by MuddyWater as part of MOIS-linked cyber operations.

checkpoint research blogNews

Mar 10, 2026

Iranian MOIS Actors & the Cyber Crime Connection - Check Point Research

Botnet leveraging Node.js/JavaScript for execution on compromised hosts; observed to switch to Deno-based execution in some cases (variant dubbed DinDoor).

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching69

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.