Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users

Tsundere represents a significant shift in botnet tactics, leveraging the power of legitimate Node.js packages and blockchain technology to distribute malware across multiple operating systems.

First identified around mid-2025 by Kaspersky GReAT researchers, this botnet demonstrates the evolving sophistication of supply chain attacks.

The threat originates from activity first observed in October 2024, where attackers created 287 malicious npm packages using typosquatting—mimicking the names of popular libraries like Puppeteer and Bignum.js to deceive developers into installation.

The infection vector has evolved considerably since then. Tsundere spreads through multiple pathways, including Remote Monitoring and Management tools and disguised game installers that capitalize on piracy communities.

Samples discovered in the wild bear names like “valorant,” “cs2,” and “r6x,” specifically targeting first-person shooter enthusiasts.

This approach proves highly effective at evading traditional security awareness since users expect these applications anyway.

The botnet particularly threatens Windows users, though the initial campaign exposed systems across Windows, Linux, and macOS platforms when it operated through npm package deployment.

The infrastructure behind Tsundere reveals a sophisticated understanding of modern attack methods. Rather than relying on traditional centralized command-and-control infrastructure, the botnet utilizes Ethereum blockchain smart contracts to store and retrieve C2 addresses.

This approach adds resilience by making servers difficult to take down through conventional means. The threat actor, identified as koneko—a Russian-speaking operative—operates a professional marketplace where other cybercriminals can purchase botnet services or deploy their own functionality.

Securelist security analysts identified the malware after discovering connections between the current campaign and earlier supply chain attacks.

Their investigation revealed that the threat actor has since resurfaced with enhanced capabilities, launching Tsundere as an evolution of previous malware efforts.

The panel supports both MSI installer and PowerShell script delivery mechanisms, giving attackers flexibility in deployment strategies across different network environments and defenses.

How Tsundere Maintains Persistence Through Node.js Abuse

The infection mechanism begins when an MSI installer or PowerShell script executes on the victim’s system, dropping legitimate Node.js runtime files into AppData alongside malicious JavaScript.

The setup uses a hidden PowerShell command that spawns a Node.js process executing obfuscated loader code.

This loader script decrypts the main bot using AES-256-CBC encryption before establishing the botnet environment. The bot automatically installs three critical npm packages: ws for WebSocket communication, ethers for Ethereum blockchain interaction, and pm2 for process persistence.

The pm2 package plays a crucial role in maintaining presence on compromised machines. It creates registry entries that ensure the bot restarts automatically whenever a user logs in, achieving effective persistence.

The bot then queries Ethereum blockchain nodes through public RPC providers, retrieving the current C2 server address from a smart contract variable.

This clever approach means defenders cannot simply block a known IP address—the attackers rotate C2 infrastructure at will through blockchain transactions, rendering traditional IP-based blocking ineffective.

Once connected, the bot establishes encrypted communication and awaits commands from operators, which arrive as dynamic JavaScript code for execution.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.