Cybersecurity researchers have reported a growing botnet named Tsundere that targets Windows systems and has been active since mid-2025. Kaspersky researcher Lisandro Ubiedo said in an analysis published today that the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control server.
Investigators have not identified a single definitive propagation vector. In at least one instance the operators used a legitimate remote monitoring and management tool to download a fake MSI installer from a compromised site. The MSI is built to install Node.js, run a loader script that decrypts and executes the main payload, and pull dependencies such as ws, ethers and pm2 via an npm install command. Kaspersky reported that pm2 is used to launch the bot and help maintain persistence.
Kaspersky’s analysis also found a PowerShell variant that deploys Node.js and fetches ws and ethers as dependencies; that variant does not use pm2 but similarly creates registry entries to ensure execution at login. The malware fetches WebSocket C2 server details from the Ethereum blockchain, creating a mechanism that allows attackers to rotate the infrastructure simply by employing a smart contract, the report said.
When a C2 address is retrieved the code validates it as a WebSocket URL and attempts to establish a connection, after which it can receive JavaScript commands from the server. Kaspersky said it did not observe any follow-up commands during its observation period, but noted that the ability to evaluate code gives operators flexibility to adapt the bot to a range of tasks.
The operation is supported by a control panel that can build MSI or PowerShell artifacts, manage administrative functions, display bot counts, convert infected hosts into proxies and operate a marketplace where botnets can be bought. The same server has been linked to the C2 panel used by a subscription information stealer advertised under the name 123 Stealer, a connection highlighted by Outpost24’s KrakenLabs Team.
Attribution remains uncertain. The presence of Russian-language logging in source code and a published rule forbidding attacks on Russia and CIS countries point to a Russian-speaking operator, Kaspersky said. Researchers warned infections can occur via MSI and PowerShell files, allowing the implant to be disguised as installers, distributed via phishing, or combined with other attack mechanisms.