Tsundere is a sophisticated botnet targeting Windows systems, active since mid-2025, that uses social engineering lures related to popular games such as Valorant, Rainbow Six Siege, and Counter-Strike 2 to entice victims, possibly focusing on users seeking pirated game versions. Infection vectors include MSI installers and PowerShell scripts that deploy Node.js on the compromised host. The malware installs legitimate Node.js libraries—ws (WebSocket client), ethers (Ethereum interaction), and pm2 (process manager)—to maintain persistence and enable dynamic execution of arbitrary JavaScript code fetched from a command-and-control (C2) server. Persistence is ensured by registry modifications that trigger the bot on system login. Uniquely, Tsundere leverages an Ethereum blockchain smart contract to store and rotate its WebSocket C2 server addresses, enhancing resilience against takedown efforts. The botnet’s control panel allows operators to build new malware artifacts, manage bots, use infected machines as proxies, and even sell botnets via a marketplace. The presence of Russian language in the code and operational restrictions against targeting Russia and CIS countries suggest a Russian-speaking threat actor. The botnet shares functional similarities with a malicious npm campaign and is linked to the 123 Stealer information stealer, indicating a broader criminal ecosystem. Although no active commands were observed during analysis, the bot’s ability to execute arbitrary JavaScript code makes it highly flexible and capable of evolving attack tactics.

For European organizations, the Tsundere botnet poses significant risks including unauthorized remote code execution, potential data exfiltration, and use of infected machines as proxies for further malicious activities such as spam, DDoS attacks, or lateral movement within networks. The use of legitimate tools and libraries (Node.js, npm packages) complicates detection and mitigation. The Ethereum-based C2 infrastructure provides resilience, making takedown efforts more challenging and allowing attackers to maintain control over infected hosts. Organizations involved in gaming, software development, or with users likely to seek pirated game software are at elevated risk. The botnet’s ability to dynamically execute arbitrary JavaScript code means it can adapt quickly to evade defenses or deploy new payloads, increasing the potential impact on confidentiality, integrity, and availability of systems. Additionally, the botnet’s marketplace model lowers the barrier for other threat actors to leverage the infected infrastructure, potentially increasing attack volume and diversity. The medium severity rating reflects the current lack of observed active exploitation commands but acknowledges the botnet’s high flexibility and persistence capabilities.

European organizations should implement targeted detection strategies focusing on unusual Node.js and npm activity, including monitoring for installation of ws, ethers, and pm2 packages on endpoints. Endpoint detection and response (EDR) tools should be tuned to detect persistence mechanisms involving registry modifications related to pm2 and PowerShell scripts deploying Node.js. Network monitoring should include inspection of WebSocket traffic and connections to suspicious IP addresses, especially those linked to Ethereum blockchain queries or known C2 servers. User education campaigns should warn against downloading pirated games or software, emphasizing risks of MSI installers from untrusted sources. Organizations should restrict execution of unsigned MSI installers and PowerShell scripts through application whitelisting and execution policies. Incident response plans should include procedures for identifying and remediating Node.js-based malware and for monitoring Ethereum blockchain activity related to C2 infrastructure. Collaboration with ISPs and law enforcement to track and disrupt Ethereum smart contract usage for malicious purposes may also be beneficial. Finally, organizations should maintain up-to-date threat intelligence feeds to detect emerging variants or related campaigns.