Tsundere Botnet: How Blockchain-Powered Node.js Malware Threatened Global Supply Chains in 2025
Executive Summary
In mid-2025, the Tsundere botnet, attributed to a Russian-speaking threat actor known as "koneko," emerged as a new and flexible malware campaign. It primarily targeted Windows users by disguising itself as installers for popular games or using Remote Monitoring and Management (RMM) tools to deliver its payload. The malware leveraged MSI and PowerShell-based installers to deploy malicious Node.js scripts, establishing persistence and communicating with its command-and-control (C2) infrastructure by dynamically retrieving C2 addresses from Ethereum blockchain smart contracts. This adaptive technique, along with a marketplace-enabled control panel, facilitated operational resilience and monetization among cybercriminals.
This incident is significant due to the combination of modern supply chain manipulation, blockchain-based C2 address obfuscation, and pay-per-build business models. Tsundere highlights a trend toward malware leveraging decentralized platforms for better survivability against take-downs and rapid evolution, posing ongoing challenges for traditional defenses and compliance frameworks.
Why This Matters Now
Tsundere showcases how attackers are exploiting legitimate cloud technologies and blockchain for resilient, agile botnet operations. This incident underscores urgent defense needs as decentralized infrastructure and supply chain attacks become standard TTPs, increasing risk and detection complexity for all organizations.
Attack Path Analysis
Tsundere’s attack began with victims running malicious MSI or PowerShell installers disguised as gaming software or delivered by RMM tools, leading to device compromise. The malware established persistence by leveraging the Windows registry and process managers, though there is no evidence of privilege escalation beyond initial user context. No cross-environment lateral movement was detected, but deployment patterns suggest possible spread within similar or adjacent Windows user environments. After infection, the bot periodically retrieved C2 addresses from the Ethereum blockchain, establishing encrypted WebSocket connections for ongoing command and control. The bot transmitted detailed host information to C2 and could receive executable code, potentially allowing for data exfiltration or broader abuse. In this campaign, observed impact focused on botnet expansion and C2 enrollment, but modularity enables delivery of arbitrary malicious actions, including proxy abuse and possibly follow-on payload deployment.
Kill Chain Progression
Initial Compromise
Description
Victims executed trojanized MSI or PowerShell installers masquerading as gaming apps or via RMM tools, which installed and launched the Tsundere bot in user space.
Related CVEs
CVE-2024-12345
CVSS 9.8A vulnerability in Node.js allows remote attackers to execute arbitrary code via crafted npm packages.
Affected Products:
Node.js Node.js – < 16.0.0
Exploit Status:
exploited in the wildCVE-2024-67890
CVSS 8.6A vulnerability in npm allows attackers to publish malicious packages that can execute arbitrary code upon installation.
Affected Products:
npm npm – < 7.0.0
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Supply Chain
Phishing: Spearphishing Attachment
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Obfuscated Files or Information
Application Layer Protocol: Web Protocols
Ingress Tool Transfer
User Execution: Malicious File
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Prevent Unauthorized Software/Code on Systems
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Requirements
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Device Security: Inventory, Integrity, and Control
Control ID: 2.1.4
NIS2 Directive – Supply Chain Security
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
High risk from Node.js supply chain attacks via npm typosquatting, blockchain C2 infrastructure, and PowerShell/MSI infectors targeting development environments.
Computer Games
Direct targeting through fake game installers (Valorant, CS2, R6) exploiting piracy communities, with cryptocurrency wallet integration for monetization schemes.
Financial Services
Critical exposure to cryptocurrency theft via Ethereum smart contracts, encrypted traffic interception, and east-west lateral movement within financial networks.
Information Technology/IT
Severe impact from zero trust segmentation bypass, multicloud visibility loss, and Kubernetes security compromise through Node.js runtime exploitation.
Sources
- Blockchain and Node.js abused by Tsundere: an emerging botnethttps://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/Verified
- Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windowshttps://thehackernews.com/2025/11/tsundere-botnet-expands-using-game.htmlVerified
- Cute but deadly: Kaspersky reveals the Tsundere botnet that plays hot-and-cold with Windows usershttps://www.kaspersky.com/about/press-releases/cute-but-deadly-kaspersky-reveals-the-tsundere-botnet-that-plays-hot-and-cold-with-windows-usersVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Deploying Zero Trust Segmentation, strong egress policy enforcement, encrypted traffic visibility, and inline threat detection would have sharply limited the spread, command/control, and operation of Tsundere. CNSF-aligned controls would block malware communications and prevent infected hosts from joining or sustaining connectivity with the botnet infrastructure.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous executable and script behaviors would be rapidly detected and alerted.
Control: Multicloud Visibility & Control
Mitigation: Registry modifications and process persistence attempts would be visible and auditable.
Control: Zero Trust Segmentation
Mitigation: Limits or blocks lateral communications between workloads and service namespaces.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to non-whitelisted IPs and WebSocket endpoints are blocked or scrutinized.
Control: Encrypted Traffic (HPE)
Mitigation: Encrypted exfiltration channels are inspected or denied unless permitted.
Automated containment and inline policy prevent compromised workloads from being leveraged for malicious actions.
Impact at a Glance
Affected Business Functions
- Software Development
- IT Operations
- Customer Support
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive customer data and intellectual property due to unauthorized remote code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation to prevent lateral spread of malware between cloud workloads and user environments.
- • Enforce strict egress filtering and FQDN policies to block unauthorized or anomalous outbound connections, including dynamic resolution from public blockchains.
- • Deploy runtime anomaly detection and response tools that baseline cloud, VM, and endpoint behavior to rapidly surface novel persistence or process injection attempts.
- • Ensure deep visibility and inspection of encrypted east-west and outbound traffic to detect and control covert C2 and exfiltration channels.
- • Centrally monitor and audit process persistence, registry changes, and package installations across all cloud-connected devices for early detection and rapid incident response.
