Overview
Tsundere Bot was first documented by Kaspersky in 2024 and linked to a Russian‑speaking operator associated with the 123 Stealer family. Proofpoint describes the platform as a full‑featured malware‑as‑a‑service (MaaS) that enables information gathering, data exfiltration, lateral movement, and the deployment of additional payloads.
Attack Chain
The current TA584 campaign follows a multi‑stage chain:
- Compromised, aged email accounts (hundreds) are used to send phishing messages via SendGrid and Amazon Simple Email Service (SES).
- Each message contains a unique URL that is protected by geofencing and IP filtering.
- The URL redirects through third‑party traffic direction systems (TDS) such as Keitaro.
- Victims that pass the filters see a CAPTCHA page, then a “ClickFix” page that instructs them to run a PowerShell command.
- The PowerShell command downloads an obfuscated script which loads either XWorm or Tsundere Bot into memory and finally redirects the browser to a benign site for deception.
Malware Capabilities
Tsundere Bot functions as both a backdoor and a loader. Key features include:
- Node.js runtime requirement – the malware installs Node.js on the victim using installers generated from its C2 panel.
- System profiling – gathers extensive system information for target selection.
- Arbitrary JavaScript execution – commands received from C2 can run any JS code on the host.
- SOCKS proxy support – infected machines can be turned into proxy relays.
- Built‑in marketplace – bots are bought and sold directly through the platform.
Command‑and‑Control Infrastructure
The platform retrieves its C2 address from the Ethereum blockchain using a variant of the EtherHiding technique, with a hard‑coded fallback address as a backup. Communication with C2 servers occurs over WebSockets. The malware also includes a language check that aborts execution on systems using Commonwealth of Independent States (CIS) languages, primarily Russian.
Recent Activity & Trends (Late 2025)
TA584 activity surged in Q4 2025, tripling the volume seen in Q1 2025. The campaign expanded beyond North America, the UK, and Ireland to target Germany, other European nations, and Australia. Payload diversity continues, with observed use of Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT (still seen in 2025).
Mitigation Recommendations
Security teams should adopt a layered approach:
- Implement DMARC, SPF, and DKIM enforcement to reduce the success of spoofed SendGrid/SES emails.
- Deploy URL filtering and sandbox analysis for newly observed redirect chains, especially those using TDS services.
- Block PowerShell execution of base64‑encoded or obfuscated scripts unless explicitly allowed.
- Monitor network traffic for outbound WebSocket connections to unknown Ethereum‑derived domains.
- Enforce endpoint detection that flags installation of Node.js in non‑standard locations.
- Educate users about CAPTCHA‑driven phishing and the dangers of “run this command” prompts.