The Cyber Nexus: Iranian Group ‘Muddy Water’ Caught Deploying Russian ‘Tsundere’ Botnet via EtherHiding
Ddos 
C2 stored in Ethereum smart contract input data | Image: TRE
Cybersecurity investigators at eSentire’s Threat Response Unit (TRU) have uncovered a high-stakes digital alignment between two major threat landscapes. According to a new report, the Iranian state-sponsored group Muddy Water has been caught deploying the Tsundere botnet—a sophisticated piece of malware suspected to be a Russian-made “Malware-as-a-Service” (MaaS) offering.
The Tsundere botnet is far from a standard criminal tool. One of its most distinctive features is the use of “EtherHiding,” a technique that leverages the Ethereum blockchain to conceal its command-and-control (C2) infrastructure. By retrieving server addresses stored within smart contracts, the botnet makes it nearly impossible for defenders to permanently take down its communication lines.
As the researchers at TRU explained:
“Tsundere is a botnet that enables arbitrary command execution on victim machines and uses a technique called ‘EtherHiding’ to retrieve C2 servers stored in smart contracts on the Ethereum blockchain“.
The analysis strongly supports the theory that Tsundere originated within the Russian cybercriminal ecosystem. TRU identified specific logic within the malware that checks the location of the infected host. If the device is found to be within a Commonwealth of Independent States (CIS) country—including Ukraine—the malware immediately terminates its execution.
This code is a classic hallmark of Russian-origin malware, designed to avoid local law enforcement scrutiny.
The investigation also revealed surprising similarities between the tools used by different global powers. TRU noted that the JavaScript obfuscation used in the Tsundere persistence module is nearly identical to techniques used by North Korean APT actors, specifically those linked to the DEV#POPPER and OmniStealer campaigns.
“Muddy Water’s deployment of Tsundere demonstrates they are leveraging MaaS offerings, even those developed by Russian threat actors, to achieve their operational objectives“.
The use of botnets for state-level espionage means that “standard” malware infections can now carry the weight of a national security threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
