Tsundere represents a notable evolution in botnet strategies, effectively using legitimate Node.js packages and blockchain technology to spread malware across different OS platforms. Initially identified by Kaspersky GReAT researchers in 2025, the botnet’s malicious activity first appeared in October 2024, where attackers created 287 typosquatted npm packages that mimicked popular libraries, tricking developers into installing them. Tsundere employs various infection vectors, including Remote Monitoring and Management tools and game installer disguises targeting gamers, particularly around popular genres like first-person shooters.
The botnet’s technological infrastructure reveals a sophisticated command-and-control (C2) mechanism that doesn’t rely on traditional methods, instead utilizing Ethereum blockchain smart contracts for communication. This approach enhances resilience against conventional takedown efforts, using rotating C2 addresses difficult for defenders to block. Tsundere’s deployment strategies utilize both MSI installers and PowerShell scripts that encode malicious Node.js files among legitimate ones, ensuring persistence by automatically reinstating bot elements after system restarts. Its communication involves encrypted exchanges of commands, complicating detection and mitigation efforts by security teams.
👉 Pročitaj original: Cyber Security News
