The Tsundere botnet uses the Ethereum blockchain to infect its targets

Nov. 21, 2025, 9:36 a.m.

Description

The Tsundere botnet, discovered in mid-2025, is an active threat targeting Windows users. It utilizes the Ethereum blockchain to retrieve C2 addresses and employs Node.js for its operations. The botnet spreads through MSI installers and PowerShell scripts, often disguised as popular games. It uses AES-256 CBC encryption for communication and can execute dynamic JavaScript code received from the C2 server. The botnet features a marketplace and control panel, allowing users to create and sell customized bots. Attributed to a Russian-speaking actor known as 'koneko', Tsundere is linked to the 123 Stealer and represents an evolution of previous attacks. Its use of smart contracts for C2 infrastructure enhances its resilience, making it a significant emerging threat.

External References

https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/
https://otx.alienvault.com/pulse/691f9237f974f85c37e4b201
Tags
powershell
javascript
node.js
botnet
msi
ethereum
websocket
2025-11-20
123 stealer
aes-256
tsundere bot
koneko
tsundere

Date

  • Created: Nov. 20, 2025, 10:12 p.m.
  • Published: Nov. 20, 2025, 10:12 p.m.
  • Modified: Nov. 21, 2025, 9:36 a.m.

Indicators

  • e970bda7434968969d6e1bf90d4ffb77becefb181a1763276106d8f9bae8ddc3
  • e7c6904f65ff69c54d59ca058b196049b97b24f7a9fac4542f7fac427155ed2a
  • c6e6c0306035241154bb0199497e59d8c98afbf1bc7bc4e0b5eb52909826ff59
  • afe75f474363a7a50282babdc3e00035848c94c2d8019011568adc476bfb005f
  • 9e5eb972fbde91f7b01d2bdd3794cce12257a27087ee0baa645b703f18fb9583
  • 80cb42a7a6cea0a74824b0d6917ff49ed80eeeea5cc363cdde025ad3013d9e3f
  • 67e894471bd87e48e8a3d5b272134b21975bbf47448b8fa0d4d26ab7944c1f8b
  • 4d21e0d5754e5c9e34598f0afb0efb118f8d2cf48b0299477d5d5384053925a9
  • 3ec6e84dc710bc6c3ff31bb0345c6c3cf2be45cb7b14a69162a71f491136e796
  • 2de16fea5af78d5f1fdb8039efd7fb319d8e233cea8b4c20ea1f13ad380aea1d
  • 2d994b6d56622095a0a5e24481aff9f5aa0fefceb731aa2e3456fcaed34915bc
  • 1f715a97657a547e9eb55878bb0b946c3a2d43b6d467ca60e816853d4d727828
  • 15cb2ef46cbccdf5344d46d58d9260b0c60f898afe9b6cc1881f1b1f2faf27f6
  • 0c552941479737a055ecf8e5e7a33b83eace569f7c9be282c1d7b0a932632f82
  • 0b6f7eb2f6a60e7912068c4e066f41d5088855e9a350d871ebc5b2b487972e08
  • 024982c7b27f1472856d1c1d9dffb33c7604b1aaecf168061ac62797dce8f297
  • 193.24.123.68
  • 62.60.226.179
  • 185.28.119.179
  • 103.246.145.201
  • 196.251.72.192
Download all indicators here!

Attack Patterns

  • 123 Stealer
  • Tsundere bot
  • koneko