Tsundere Botnet Uncovered: Node.js Malware Uses Ethereum Smart Contract for Unkillable C2 and Runs Cybercrime Marketplace
Ddos 
Tsundere botnet panel login | Image: Kaspersky
Kaspersky’s Global Research & Analysis Team (GReAT) has identified a fast-growing new botnet—dubbed Tsundere—that blends Node.js implants, blockchain-based C2 retrieval, fake game installers, and a fully functional cybercrime marketplace into one rapidly evolving ecosystem. The botnet first appeared in mid-2025 and has already amassed a steady pool of active infections, with indications linking it to a known Russian-speaking threat actor.
The group behind it previously operated large-scale supply-chain attacks on npm, distributing 287 malicious Node.js packages mimicking Puppeteer, Bignum.js, and crypto libraries—an operation documented in October 2024.
Kaspersky reports that Tsundere is spread using a mix of Remote Monitoring and Management (RMM) abuse and fraudulent game installers. These lures target the massive piracy community surrounding first-person shooters.
The threat actor distributes implants in two formats, both automatically generated by the botnet’s backend:
1. MSI Installer (Fake Game Setup)
The MSI version bundles:
- Obfuscated JavaScript loaders
- Decryption keys (AES-256-CBC)
- Hidden Node.js executables
- Dynamically generated malicious scripts
The installer uses a customized Windows Installer action to spawn a stealthy Node.js process.
Kaspersky writes, “This will execute Node.js code that spawns a new Node.js process… The resulting child process runs in the background, remaining hidden from the user.”
2. PowerShell Infector
More compact and fileless in spirit, this version:
- Downloads Node.js directly from nodejs.org
- Decrypts two large hex-encoded payloads
- Installs malicious packages using npm
- Achieves persistence via registry Run keys
According to the report, “The infector runs both scripts… starting with the persistence script that is followed by the bot script.”
Whether delivered via MSI or PowerShell, Tsundere reconstructs a full Node.js environment on the victim machine.
It installs:
- ws (WebSocket)
- ethers (Web3 library)
- pm2 (process manager for persistence)
The inclusion of pm2 ensures persistence: “pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.”
One of the most innovative aspects of Tsundere is how it retrieves its command-and-control address.
The bot queries a smart contract on Ethereum:
- Contract: 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b
- Wallet: 0x73625B6cdFECC81A4899D221C732E1f73e504a32
The botnet operator updates a 24-byte string inside the contract variable param1 through the method setString(). That string contains the WebSocket C2 address, such as: “When this string is converted… it reveals the new WebSocket C2 server address: ws[:]//185.28.119[.]179:1234.”
This technique ensures C2 resilience: blockchain data cannot be removed once published. The bot cycles through multiple RPC providers to fetch updates, making takedowns extremely difficult.
The bot’s communication flow is illustrated in the below diagram, showing the handshake and AES-encrypted message loop.
Kaspersky describes the process: “An AES key is transmitted… the server then sends an IV… Encryption is required for all subsequent communication.”
The bot collects OS details—MAC address, GPU, RAM, locale—and generates a UUID, then sends it to the server.
Perhaps the most dangerous feature is remote code execution via JavaScript.
“When the C2 server sends a message with ID=1… the message is evaluated as a new function and then executed […] The result is sent back to the server… encrypted for secure communication.”
This means the botnet operator can:
- Exfiltrate data
- Install additional malware
- Execute arbitrary Node.js code
- Turn bots into proxies
- Launch credential theft modules
Tsundere features an openly accessible botnet control panel named Tsundere Netto v2.4.4—with open registration.
Anyone can sign up and gain access to:
- Bots dashboard
- Build system (MSI or PowerShell)
- Marketplace selling bots and add-ons
- Monero wallet integration
- SOCKS proxy leasing
Kaspersky writes, “The most interesting aspect… is that it allows users to promote their individual bots and offer services to other threat actors.”
At any given time, 90–115 bots are actively connected.
The investigation ties Tsundere to a previously known Russian-speaking threat actor. More importantly, the same server hosts the 123 Stealer panel—an infamous C++ stealer sold for $120/month. The actor “koneko” previously advertised malware on dark web forums under the title “node malware senior.”
Donate