{"description": "Enterprise techniques used by Tsundere Botnet, ATT&CK software S9034 (v1.0)", "name": "Tsundere Botnet (S9034)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has obtained the WebSocket C2 address by making remote procedure call (RPC) APIs to Ethereum blockchain nodes.(Citation: SecureListUbiedo_Tsundere_Nov2025)(Citation: CAL_MuddyWater_Mar2026)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has created a value in the `HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` Registry key, ensuring that it is run at login.(Citation: SecureListUbiedo_Tsundere_Nov2025)(Citation: CAL_MuddyWater_Mar2026) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has been distributed via a PowerShell script.(Citation: SecureListUbiedo_Tsundere_Nov2025)(Citation: CAL_MuddyWater_Mar2026)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has the ability to run JavaScript code from the C2 server. Additionally, [Tsundere Botnet](https://attack.mitre.org/software/S9034) has used Node.js to execute JavaScript code for the loader component.(Citation: SecureListUbiedo_Tsundere_Nov2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s loader has decrypted obfuscated JavaScript files using the AES-256 CBC algorithm, a build-specific key, and initialization vector.(Citation: SecureListUbiedo_Tsundere_Nov2025)(Citation: CAL_MuddyWater_Mar2026)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has checked the victim machine\u2019s location to avoid infecting in the Commonwealth of Independent States (CIS) region.(Citation: SecureListUbiedo_Tsundere_Nov2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s variant DinDoor has used [Rclone](https://attack.mitre.org/software/S1040) to access a Wasabi server.(Citation: Checkpoint_MOISCyberCrime_Mar2026) \n\n ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s MSI installer has used `-WindowStyle Hidden` to hide [Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s execution from the user.(Citation: SecureListUbiedo_Tsundere_Nov2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s loader component has downloaded the zip file node-v18.17.0-win-x64.zip from the official Node.js website, as well as pm2, a Node.js process management tool.(Citation: SecureListUbiedo_Tsundere_Nov2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has disguised its MSI installer as a fake installer for popular games and software.(Citation: SecureListUbiedo_Tsundere_Nov2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s MSI installer has Base64-encoded command execution.(Citation: SecureListUbiedo_Tsundere_Nov2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034)\u2019s loader contained AES-CBC/PKCS7 encrypted blobs, which were descrypted and written to disk.(Citation: CAL_MuddyWater_Mar2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.001", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has used the Node Package Manager (npm) to download malicious packages and to deliver the payload.(Citation: SecureListUbiedo_Tsundere_Nov2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has been distributed via an MSI installer.(Citation: SecureListUbiedo_Tsundere_Nov2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has collected the machine\u2019s MAC address, total memory, GPU information and other system information.(Citation: SecureListUbiedo_Tsundere_Nov2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has checked the victim machine\u2019s location by obtaining the culture name of the machine.(Citation: SecureListUbiedo_Tsundere_Nov2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) has obtained the C2 address from Ethereum blockchain nodes.(Citation: SecureListUbiedo_Tsundere_Nov2025)(Citation: CAL_MuddyWater_Mar2026)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Tsundere Botnet", "color": "#66b1ff"}]}