A newly identified Windows botnet dubbed Tsundere is demonstrating how quickly cybercriminals are adopting Web3 technologies. The malware masquerades as installers for popular online games and uses Ethereum smart contracts to manage its command-and-control (C2) servers, significantly complicating detection and takedown efforts.
Tsundere botnet targets Windows gamers in Latin America
Current telemetry indicates that Tsundere attacks are concentrated in Latin America, with the highest activity observed in Mexico and Chile. The botnet’s operators appear to deliberately avoid systems located in several CIS countries, although isolated infections have still been recorded in Russia and Kazakhstan. Such geo-selective behavior is typical when threat actors seek to reduce attention from local law enforcement in their own region.
Tsundere focuses on mass infection of consumer Windows systems. The malware is distributed as fake installers for well-known online games such as Valorant, CS2 and R6x. Users who believe they are downloading a legitimate installer instead execute a dropper that silently deploys the Tsundere bot in the background.
Infection chain: MSI installers, PowerShell loaders and a JavaScript bot
Researchers have identified two primary distribution formats for Tsundere: MSI-based installers and PowerShell scripts. Both are automatically generated loaders whose only task is to establish persistence and download the main bot payload without arousing user suspicion or triggering basic security controls.
From fake installer to persistent bot
Once executed, the malicious MSI or PowerShell script retrieves and launches the Tsundere bot module. The bot is designed to continuously execute JavaScript code that it receives from a remote C2 server. This architecture effectively turns each infected host into a programmable agent capable of running arbitrary logic delivered on demand by the operators.
Real-time control over WebSocket
For C2 communication Tsundere uses the WebSocket protocol, which provides a persistent, bidirectional channel between the victim and the attacker’s infrastructure. This allows operators to rapidly change attack logic, push new modules, exfiltrate data or execute commands in real time, without needing to reinfect the system or update the binary.
Web3 and Ethereum smart contracts as resilient C2 infrastructure
The most distinctive element of Tsundere is its Web3-based C2 discovery mechanism. Instead of relying on traditional domain names or hardcoded IP addresses, the botnet stores its C2 configuration in an Ethereum smart contract. The configuration is encrypted and encoded as a piece of contract state that any infected host can read from the blockchain.
To rotate C2 endpoints, the operators submit a 0 ETH transaction to the contract and update a state variable that contains the latest WebSocket address. Compromised hosts periodically query public Ethereum RPC nodes, monitor these contract updates and extract the current C2 URL. If a C2 node is blocked or seized, the botnet can seamlessly pivot to backup infrastructure simply by writing a new value to the contract.
Why blockchain makes Tsundere harder to disrupt
Using blockchain for C2 coordination makes the Tsundere infrastructure highly resistant to takedown and censorship. Smart contract data is immutable and replicated across thousands of Ethereum nodes; it cannot be retroactively erased or altered. Unlike a centralized domain registrar or hosting provider, no single authority can unilaterally remove the configuration from the network.
For defenders, this means that traditional measures such as domain sinkholing, DNS blocking or IP blacklisting are insufficient. Effective detection now requires correlating blockchain activity (contract interactions, RPC queries) with network events on the endpoint, and monitoring for unusual use of Web3 APIs in otherwise typical consumer or corporate environments.
Links to malicious npm packages and the 123 Stealer malware
Infrastructure analysis connects Tsundere to a campaign uncovered in October 2024 involving malicious Node.js packages in the official npm registry. In that campaign, attackers published 287 typosquatted packages whose names differed by only one or two characters from popular libraries such as Puppeteer and Bignum.js. Developers who mistyped a package name unknowingly pulled malicious code into their projects.
Further overlaps have been identified between Tsundere and 123 Stealer, an information-stealing malware advertised on underground forums. The two threats share technical components, infrastructure elements and are both associated with a threat actor using the handle koneko, who markets themselves as a “senior developer of Node-based malware.” This explains Tsundere’s heavy reliance on JavaScript and Web3 tooling in its architecture.
Attribution, operator motivation and threat evolution
Code artefacts and language patterns suggest with high confidence that Tsundere’s developers are Russian-speaking. The deliberate effort to exclude certain CIS systems from infection further supports this assessment, despite the fact that some machines in the region are still compromised due to imperfect filtering.
The evolution from npm-based supply-chain attacks to a full-fledged Web3-powered botnet indicates a systematic, long-term development strategy. The operators appear focused on maximizing autonomy, resilience and anonymity of their criminal ecosystem, reducing the risk of losing control over the botnet or being exposed through conventional C2 infrastructure.
Risks for users and practical defense strategies
Tsundere poses a threat to both home users and organizations. The bot’s modular design allows it to be used for data theft, deployment of additional malware, DDoS attacks, or covert cryptocurrency mining. The fact that infections originate from what users perceive as harmless game installers significantly increases the likelihood of successful compromise.
1. Download games and software only from official vendor websites, reputable platforms and trusted launchers. Avoid pirated builds, “repacks” and unofficial cracks, which remain a common infection vector for modern botnets.
2. Verify the digital signatures of installers and pay attention to unusual permission requests, especially when installing games, mods or cheat tools.
3. In corporate environments, restrict and monitor PowerShell usage through least-privilege policies, script signing and comprehensive command logging to reduce abuse by loaders such as those used by Tsundere.
4. Deploy modern endpoint protection capable of detecting anomalous WebSocket traffic, PowerShell abuse, MSI-based loaders and suspicious access to Web3 or Ethereum RPC endpoints.
5. For developers, carefully check package names in npm and other repositories to avoid typosquatting attacks and consider locking dependencies to vetted versions using package-lock mechanisms or internal mirrors.
The emergence of Tsundere illustrates how quickly cybercriminals are integrating blockchain and Web3 technologies into their toolsets to gain resilience and flexibility. By combining deceptive distribution via fake game installers with Ethereum-based C2 coordination, the botnet sets a precedent for future campaigns. Strengthening security therefore requires not only robust technical controls, but also continuous user education, attention to new attack trends and timely updates to organizational security policies.
