Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Tsundere botnet expanding on Windows

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The Tsundere botnet is actively expanding against Windows users, and its operators can make infected systems run arbitrary JavaScript from a command-and-control server. That matters because the malware combines persistence, remote execution, and flexible infrastructure rotation to keep infected hosts useful over time. The operation also uses game-themed lures and installer/script-based delivery to reach victims.

Related Happenings

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

EtherRAT Node.js backdoor with Ethereum smart-contract C2

Malware Activity
First: 26.03.2026 17:00 Last: 26.03.2026 17:00 Sources 1

About this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

Timeline

  1. 20.11.2025 18:57 1 articles · 6mo ago

    Ethereum smart contract used for Tsundere C2 resolution

    Technical Analysis Update

    A smart contract created on September 23, 2024 is used by Tsundere to fetch WebSocket C2 details, including ws://193.24.123[.]68:3011 and ws://185.28.119[.]179:1234, so the operators can rotate infrastructure by changing the contract-backed pointer.

    Show sources
    Open in new tab
  2. 20.11.2025 18:57 2 articles · 6mo ago

    Kaspersky warns of expanding Tsundere botnet on Windows

    Initial Disclosure

    Kaspersky warned on November 20, 2025 that Tsundere is actively expanding against Windows users and can execute arbitrary JavaScript retrieved from C2 after infection paths that include fake MSI installers, PowerShell scripts, Node.js, ws, ethers, and pm2; the analysis also noted registry-based persistence, game-themed lures, Russian-language logging code, and a server linked to 123 Stealer.

    Show sources
    Open in new tab