"Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server, Kaspersky researcher Lisandro Ubiedo said in an analysis published today. There are currently no details on how the botnet malware is propagated; however, in at least one case, the threat actors behind the operation are said to have leveraged a legitimate Remote Monitoring and Management (RMM) tool as a conduit to download an MSI installer file from a compromised site."
"Regardless of the method used, the fake MSI installer is designed to install Node.js and launch a loader script that's responsible for decrypting and executing the main botnet-related payload. It also prepares the environment by downloading three legitimate libraries, namely, ws, ethers, and pm2, using an "npm install" command. "The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot,""
"Kaspersky's analysis of the C2 panel has revealed that the malware is also propagated in the form of a PowerShell script, which performs a similar sequence of actions by deploying Node.js on the compromised host and downloading ws and ethers as dependencies. While the PowerShell infector doesn't make use of pm2, it carries out the same actions observed in the MSI installer by creating a registry key value that ensures the bot is executed on each login by spawning a new"
Tsundere is an actively expanding Windows-targeting botnet that executes arbitrary JavaScript fetched from a command-and-control server. Distribution methods are unclear, though a compromised RMM tool and fake MSI installers lured by game-related names (Valorant, r6x, cs2) have been observed. The MSI installs Node.js, runs a loader that decrypts and executes the main payload, and uses npm to install ws, ethers, and pm2. The pm2 package is used to keep the bot running and establish persistence via registry entries and restart-on-login. A PowerShell variant also deploys Node.js and dependencies and creates registry persistence without using pm2.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]