Tsundere Botnet
Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.
A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js. [1][2][3][4]
Associated Software Descriptions
| Name | Description |
|---|---|
| DinDoor |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Tsundere Botnet has obtained the WebSocket C2 address by making remote procedure call (RPC) APIs to Ethereum blockchain nodes.[4][3] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Tsundere Botnet has created a value in the |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Tsundere Botnet has been distributed via a PowerShell script.[4][3] |
| .007 | Command and Scripting Interpreter: JavaScript |
Tsundere Botnet has the ability to run JavaScript code from the C2 server. Additionally, Tsundere Botnet has used Node.js to execute JavaScript code for the loader component.[4] |
||
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Tsundere Botnet’s loader has decrypted obfuscated JavaScript files using the AES-256 CBC algorithm, a build-specific key, and initialization vector.[4][3] |
|
| Enterprise | T1480 | Execution Guardrails |
Tsundere Botnet has checked the victim machine’s location to avoid infecting in the Commonwealth of Independent States (CIS) region.[4] |
|
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Tsundere Botnet’s variant DinDoor has used Rclone to access a Wasabi server.[1] |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Tsundere Botnet’s MSI installer has used |
| Enterprise | T1105 | Ingress Tool Transfer |
Tsundere Botnet’s loader component has downloaded the zip file node-v18.17.0-win-x64.zip from the official Node.js website, as well as pm2, a Node.js process management tool.[4] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Tsundere Botnet has disguised its MSI installer as a fake installer for popular games and software.[4] |
| Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Tsundere Botnet’s MSI installer has Base64-encoded command execution.[4] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Tsundere Botnet’s loader contained AES-CBC/PKCS7 encrypted blobs, which were descrypted and written to disk.[3] |
||
| Enterprise | T1195 | .001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
Tsundere Botnet has used the Node Package Manager (npm) to download malicious packages and to deliver the payload.[4] |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Tsundere Botnet has been distributed via an MSI installer.[4] |
| Enterprise | T1082 | System Information Discovery |
Tsundere Botnet has collected the machine’s MAC address, total memory, GPU information and other system information.[4] |
|
| Enterprise | T1614 | System Location Discovery |
Tsundere Botnet has checked the victim machine’s location by obtaining the culture name of the machine.[4] |
|
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Tsundere Botnet has obtained the C2 address from Ethereum blockchain nodes.[4][3] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater |