Cybersecurity Threats Emerge as New Botnet Targets Windows Users
Full Transcript
Cybersecurity researchers have raised alarms about a newly emerging botnet known as Tsundere, which is specifically targeting Windows users. According to an analysis by Kaspersky researcher Lisandro Ubiedo, the Tsundere Botnet has been active since mid-2025 and utilizes game-related lures to attract victims.
This botnet is designed to execute arbitrary JavaScript code retrieved from a command-and-control server. While the exact propagation method of the malware is not fully established, it is suggested that threat actors might be using legitimate Remote Monitoring and Management tools to facilitate the download of malicious files.
The malware artifacts associated with this botnet have names reminiscent of popular games like Valorant, Rainbow Six Siege, and Counter-Strike 2, indicating that users searching for pirated versions of these games may be at risk.
The fake MSI installer used in these attacks is engineered to install Node.js and launch a loader script that decrypts and executes the main botnet payload. In addition, the botnet can also deploy a PowerShell script that mirrors the actions of the MSI installer, ensuring that the bot remains persistent on the compromised system.
The Tsundere botnet employs an Ethereum-based command and control system, utilizing the blockchain to obtain the details of its WebSocket C2 server, which allows for infrastructure rotation through the use of smart contracts.
This mechanism, established on September 23, 2024, has already seen multiple transactions. Kaspersky's analysis highlights that this botnet's architecture enables flexibility, allowing for a range of actions from its administrators.
The control panel associated with Tsundere allows users to manage various functions, including creating new malware artifacts, turning bots into proxies for routing malicious traffic, and even purchasing botnets from a marketplace.
While the identity of the actors behind Tsundere remains unclear, the presence of Russian language elements in the source code suggests a Russian-speaking threat actor may be involved. This operation shows similarities to a malicious npm campaign documented by other cybersecurity firms, indicating a broader trend in cyber threats targeting Windows users.
As cyber threats evolve, the emergence of the Tsundere botnet underscores the importance of vigilance and proactive security measures among Windows users, especially those who may be tempted by game-related downloads.
The dynamic nature of these threats highlights the need for robust cybersecurity strategies to mitigate risks associated with advanced botnet operations.