Tsundere Botnet Masquerades as Valorant/CS2, Uses Ethereum Smart Contract for C2
Unwanted programs disguised as gaming software have once again drawn the attention of cybersecurity researchers. The Tsundere botnet, which surfaced this past summer, has been steadily expanding its reach, targeting Windows users through an assortment of loaders and an unconventional command-and-control architecture.
According to experts at Kaspersky Lab, the bot receives instructions in the form of JavaScript code fetched from its command server. The precise distribution method remains unknown; however, in one observed incident, attackers leveraged a legitimate remote-administration tool to deliver an MSI file containing a malicious script. Another recurrent indicator cited by analysts is the use of filenames such as “Valorant,” “r6x,” and “cs2” — a clear attempt to lure gamers hunting for unauthorized builds of popular shooters.
Once launched, the counterfeit MSI installer deploys Node.js and activates a loader that decrypts the botnet’s main module. The program then retrieves three legitimate libraries — ws, ethers, and pm2 — via an npm install command. The pm2 component handles process management and ensures persistence through the system registry.
Analysis of the control panel shows that the malware also propagates through PowerShell scripts that mimic the MSI variant’s behavior: installing Node.js and pulling dependencies, but omitting pm2 and instead creating a registry entry for persistence.
Particular interest was drawn to Tsundere’s communications method. The botnet fetches WebSocket server addresses from a smart contract on the Ethereum network — enabling operators to rotate command points swiftly. The contract was deployed in autumn 2024 and now contains several dozen transactions.
After obtaining the current address, the bot validates the WebSocket link and establishes a connection, awaiting JavaScript instructions. During observation, no commands were issued — but the mere ability to execute arbitrary code underscores the system’s flexibility.
The Tsundere panel provides operators with tools to generate new malicious builds in MSI or PowerShell format, view the number of active infected machines, configure administrative functions, and convert compromised devices into traffic-forwarding nodes.
The same interface also facilitates viewing and purchasing botnets, indicating a growing commercialization of the operation. The code contains Russian-language logging strings, and its functionality overlaps with malicious npm ecosystem activity previously described by Checkmarx, Phylum, and Socket.
The same server additionally hosts the control panel for the 123 Stealer malware — a subscription-based tool first mentioned on an underground forum by a user under the alias “Кoнэко.” Researchers emphasize that Tsundere can be delivered through either MSI packages or PowerShell files, and the variety of distribution vectors makes it well-suited for phishing and other intrusion techniques.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
