{"id":363377,"date":"2025-11-24T22:29:29","date_gmt":"2025-11-24T16:59:29","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=363377"},"modified":"2025-11-24T22:29:29","modified_gmt":"2025-11-24T16:59:29","slug":"cute-but-deadly-kaspersky-reveals-the-tsundere-botnet-that-plays-hot-and-cold-with-windows-users","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/cute-but-deadly-kaspersky-reveals-the-tsundere-botnet-that-plays-hot-and-cold-with-windows-users\/","title":{"rendered":"Cute but deadly: Kaspersky reveals the Tsundere botnet that plays hot-and-cold with Windows users"},"content":{"rendered":"<p class=\"ArticleBody_date__rpGhG\"><strong>Kaspersky Global Research and Analysis Team (GReAT) has discovered a new botnet created by a resurfaced threat actor in July 2025. To lure victims, the attacker uses an MSI installer disguised as a fake setup for popular games, particularly shooters such as \u2018Valorant\u2019, \u2018CS2\u2019, or \u2018R6x\u2019, as well as other software. The botnet is currently expanding and poses an active threat to Windows users. It has already been detected by Kaspersky in Mexico, Chile, Russia, and Kazakhstan.<\/strong><\/p>\n<div class=\"ArticleBody_articleContainer__Sz0LX\">\n<div class=\"ArticleBody_articleBody__gN8bN\">\n<div class=\"ArticleBody_content__tiVdv ArticleBody_withContentAbove__RyYxL\">\n<p>The Tsundere botnet employs an increasingly popular approach by using Web3 smart contracts to store its command-and-control (C2) addresses, significantly improving the robustness of its infrastructure. Its C2 panel supports two distribution formats: an MSI installer and a PowerShell script with implants generated automatically. These implants will install a bot capable of persistently executing the JavaScript code that receives dynamically \u2013 through an encrypted WebSocket channel \u2013 from the C2, which could lead to malicious execution of code sent by the threat actor.<\/p>\n<p>To manage infections and update C2 locations, Tsundere botnet uses fixed references on the Ethereum blockchain, such as a designated wallet and contract. Changing the C2 server requires only a single transaction that updates the contract\u2019s state variable with a new address. The botnet\u2019s ecosystem also includes an integrated marketplace and control panel accessible through the same interface.<\/p>\n<p>The analysis indicates with high confidence that the threat actor behind the Tsundere botnet is likely Russian-speaking, as shown by the use of Russian language in the code, which aligns with previous attacks linked to the same actor. The research also suggests a connection between the Tsundere botnet and the 123 Stealer created by \u2018koneko\u2019, which is offered on an underground forum for $120 per month.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/content.kaspersky-labs.com\/fm\/press-releases\/92\/92bca56182836831daa2455cc93e6ce5\/processed\/picture1-q93.png\" alt=\"Russian language being used throughout the Tsundere botnet code\" \/><\/p>\n<p><em>Russian language being used throughout the Tsundere botnet code<\/em><\/p>\n<p>\u201cTsundere demonstrates how quickly cybercriminals adapt: it represents a renewed effort by a presumably identified threat actor to revamp their toolset. By shifting to Web3 mechanisms, its infrastructure becomes far more flexible and resilient. We\u2019re already seeing active distribution through fake game installers and links to previously observed malicious activity, so further development of this botnet is highly likely,\u201d\u00a0\u2013 says Lisandro Ubiedo, senior security expert at Kaspersky\u2019s Global Research and Analysis Team. For more details and indicators of compromise, see the article on\u00a0<a href=\"https:\/\/securelist.com\/tsundere-node-js-botnet-uses-ethereum-blockchain\/117979\/\" target=\"_blank\" rel=\"noopener\">Securelist.com.<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Global Research and Analysis Team (GReAT) has discovered a new botnet created by a resurfaced threat actor in July 2025. To lure victims, the attacker uses an MSI installer disguised as a fake setup for popular games, particularly shooters such as \u2018Valorant\u2019, \u2018CS2\u2019, or \u2018R6x\u2019, as well as other software. The botnet is currently [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14083],"tags":[],"class_list":{"0":"post-363377","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-technology-industry-news"},"_links":{"self":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/363377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/comments?post=363377"}],"version-history":[{"count":1,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/363377\/revisions"}],"predecessor-version":[{"id":363378,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/363377\/revisions\/363378"}],"wp:attachment":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media?parent=363377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/categories?post=363377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/tags?post=363377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}