Find notable cyber news and cases, enriched with sources, timelines, and signals.

Tsundere botnet expanding on Windows

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

The Tsundere botnet is actively expanding against Windows users, and its operators can make infected systems run arbitrary JavaScript from a command-and-control server. That matters because the malware combines persistence, remote execution, and flexible infrastructure rotation to keep infected hosts useful over time. The operation also uses game-themed lures and installer/script-based delivery to reach victims.

Related Happenings

QuimaRAT cross-platform Java MaaS remote access trojan

Malware Activity
H score29 First: 06.07.2026 11:13 Last: 06.07.2026 11:13 Sources 1

About this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...

Silent Swap browser-extension crypto-theft campaign

Campaign
H score36 First: 30.06.2026 18:40 Last: 30.06.2026 18:40 Sources 1

About this happening: The **Silent Swap** campaign is replacing copied cryptocurrency wallet addresses with attacker-controlled ones, creating a risk of permanent financial loss for **crypto users**. I...

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Timeline

  1. 20.11.2025 18:57 1 articles · 7mo ago

    Ethereum smart contract used for Tsundere C2 resolution

    Technical Analysis Update

    A smart contract created on September 23, 2024 is used by Tsundere to fetch WebSocket C2 details, including ws://193.24.123[.]68:3011 and ws://185.28.119[.]179:1234, so the operators can rotate infrastructure by changing the contract-backed pointer.

    Show sources
  2. 20.11.2025 18:57 2 articles · 7mo ago

    Kaspersky warns of expanding Tsundere botnet on Windows

    Initial Disclosure

    Kaspersky warned on November 20, 2025 that Tsundere is actively expanding against Windows users and can execute arbitrary JavaScript retrieved from C2 after infection paths that include fake MSI installers, PowerShell scripts, Node.js, ws, ethers, and pm2; the analysis also noted registry-based persistence, game-themed lures, Russian-language logging code, and a server linked to 123 Stealer.

    Show sources