Tsundere botnet expanding on Windows
Malware Activity
Summary
Hide ▲
Show ▼
The Tsundere botnet is actively expanding against Windows users, and its operators can make infected systems run arbitrary JavaScript from a command-and-control server. That matters because the malware combines persistence, remote execution, and flexible infrastructure rotation to keep infected hosts useful over time. The operation also uses game-themed lures and installer/script-based delivery to reach victims.
Related Happenings
QuimaRAT cross-platform Java MaaS remote access trojan
Malware Activity
H score29
First: 06.07.2026 11:13
Last: 06.07.2026 11:13
Sources 1
About this happening:
A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
QuimaRAT cross-platform Java MaaS remote access trojan
Malware ActivityAbout this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...
Silent Swap browser-extension crypto-theft campaign
Campaign
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** campaign is replacing copied cryptocurrency wallet addresses with attacker-controlled ones, creating a risk of permanent financial loss for **crypto users**. I...
Silent Swap browser-extension crypto-theft campaign
CampaignAbout this happening: The **Silent Swap** campaign is replacing copied cryptocurrency wallet addresses with attacker-controlled ones, creating a risk of permanent financial loss for **crypto users**. I...
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Easy-day-js malware delivery through poisoned Mastra packages
Malware Activity
H score29
First: 22.06.2026 14:30
Last: 22.06.2026 14:30
Sources 1
About this happening:
A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Easy-day-js malware delivery through poisoned Mastra packages
Malware ActivityAbout this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Timeline
-
20.11.2025 18:57 1 articles · 7mo ago
Ethereum smart contract used for Tsundere C2 resolution
Technical Analysis UpdateA smart contract created on September 23, 2024 is used by Tsundere to fetch WebSocket C2 details, including ws://193.24.123[.]68:3011 and ws://185.28.119[.]179:1234, so the operators can rotate infrastructure by changing the contract-backed pointer.
Show sources
- Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows — thehackernews.com — 20.11.2025 18:57
-
20.11.2025 18:57 2 articles · 7mo ago
Kaspersky warns of expanding Tsundere botnet on Windows
Initial DisclosureKaspersky warned on November 20, 2025 that Tsundere is actively expanding against Windows users and can execute arbitrary JavaScript retrieved from C2 after infection paths that include fake MSI installers, PowerShell scripts, Node.js, ws, ethers, and pm2; the analysis also noted registry-based persistence, game-themed lures, Russian-language logging code, and a server linked to 123 Stealer.
Show sources
- Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows — thehackernews.com — 20.11.2025 18:57
- Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows — thehackernews.com — 20.11.2025 18:57