A sophisticated new botnet, dubbed “Tsundere,” is posing a significant threat by leveraging popular Node.js packages and cryptocurrency technologies to distribute malware across Windows, Linux, and macOS. First identified by Kaspersky GReAT researchers around mid-2025, Tsundere represents an alarming evolution in supply chain attacks.
The cyber threat emerged from activity observed in October 2024 when attackers released over 280 malicious npm packages. These packages mimicked legitimate libraries like Puppeteer and Bignum.js through typosquatting, aiming to trick developers into unwitting installations. The botnet’s distribution methods have since expanded, utilizing Remote Monitoring and Management (RMM) tools and disguised installers for pirated games, specifically targeting gaming communities with names like “valorant” and “cs2.” This approach effectively bypasses traditional security awareness training as users expect to install such applications.
How Tsundere Maintains Persistence Through Node.js Abuse
The Tsundere botnet’s persistence mechanisms are intricately linked to its abuse of legitimate Node.js functionalities. The infection process often begins with a malicious MSI installer or PowerShell script executed on the victim’s system. This initial payload drops legitimate Node.js runtime files into the user’s AppData folder, alongside malicious JavaScript code.
A hidden PowerShell command then launches a Node.js process that executes obfuscated loader code. This loader decrypts the main bot malware using AES-256-CBC encryption. Following decryption, the bot establishes its operational environment and automatically installs three critical npm packages: `ws` for WebSocket communication, `ethers` for interacting with the Ethereum blockchain, and `pm2` for process management and persistence.
The `pm2` package is instrumental in ensuring the bot remains active on compromised machines. It creates registry entries that automatically restart the bot whenever a user logs into their system, thereby achieving persistent presence.
Additionally, Tsundere’s command-and-control (C2) infrastructure is remarkably resilient. Instead of relying on traditional centralized servers, the botnet embeds C2 addresses within smart contracts on the Ethereum blockchain. The bot queries Ethereum blockchain nodes through public RPC providers to retrieve the current C2 server address from a smart contract variable.
This blockchain-based approach makes traditional IP address blocking ineffective, as the attackers can easily rotate their C2 infrastructure by updating variables in the smart contract through blockchain transactions. Once a connection is established, the bot engages in encrypted communication and is ready to receive commands from its operators. These commands are typically delivered as dynamic JavaScript code, allowing for flexible and rapid execution of malicious actions.
Beyond npm packages, the botnet’s distribution has expanded to include RMM tools and disguised installers, often found within communities sharing pirated video games. Samples have been observed with names aligning to popular first-person shooter titles, such as “valorant,” “cs2,” and “r6x.” This strategy effectively capitalizes on user expectations and reduces suspicion.
While the initial campaign highlighted risks across Windows, Linux, and macOS through npm package deployment, current analysis indicates a particular threat to Windows users. However, the cross-platform nature of Node.js means other operating systems remain vulnerable through various infection vectors.
The threat actor behind Tsundere, identified as “koneko,” is described by Securelist security analysts as a Russian-speaking operative. Koneko appears to operate a professional marketplace where other cybercriminals can purchase botnet services or deploy their own custom functionalities. This suggests a well-established, organized criminal enterprise.
The botnet panel supports both MSI installer and PowerShell script delivery mechanisms, providing attackers with considerable flexibility in their deployment strategies across diverse network environments and defensive measures. This adaptability is a key factor in Tsundere’s evolving threat profile.
The researchers noted that the threat actor has resurfaced with enhanced capabilities, positioning Tsundere as an evolution of previous malware efforts. The investigation revealed connections between the current campaign and earlier supply chain attacks, indicating a consistent and developing TTP set for this group.
Looking ahead, cybersecurity professionals will be closely monitoring further developments in the Tsundere botnet’s evolution. The continued reliance on sophisticated supply chain attacks, combined with the novel use of blockchain for C2 infrastructure, suggests that defenders will need to develop more advanced detection and mitigation strategies to counter this emerging threat.