216.73.217.22

The Tsundere botnet uses the Ethereum blockchain to infect its targets

· Published 20/11/2025 22:12 · Modified 21/11/2025 09:36

Export JSON

Essential information

Published
20/11/2025 22:12
Modified
21/11/2025 09:36
Tags
123 stealer 2025-11-20 aes-256 botnet ethereum javascript koneko msi node.js powershell tsundere tsundere bot websocket
Related entities
21 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware

Description

The , discovered in mid-2025, is an active threat targeting Windows users. It utilizes the blockchain to retrieve C2 addresses and employs for its operations. The spreads through installers and scripts, often disguised as popular games. It uses CBC encryption for communication and can execute dynamic code received from the C2 server. The features a marketplace and control panel, allowing users to create and sell customized bots. Attributed to a Russian-speaking actor known as '', is linked to the and represents an evolution of previous attacks. Its use of smart contracts for C2 infrastructure enhances its resilience, making it a significant emerging threat.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (21)

  • 193.24.123.68
  • 62.60.226.179
  • 185.28.119.179
  • 103.246.145.201
  • 196.251.72.192
  • e970bda7434968969d6e1bf90d4ffb77becefb181a1763276106d8f9bae8ddc3
  • e7c6904f65ff69c54d59ca058b196049b97b24f7a9fac4542f7fac427155ed2a
  • c6e6c0306035241154bb0199497e59d8c98afbf1bc7bc4e0b5eb52909826ff59
  • afe75f474363a7a50282babdc3e00035848c94c2d8019011568adc476bfb005f
  • 9e5eb972fbde91f7b01d2bdd3794cce12257a27087ee0baa645b703f18fb9583
  • 80cb42a7a6cea0a74824b0d6917ff49ed80eeeea5cc363cdde025ad3013d9e3f
  • 67e894471bd87e48e8a3d5b272134b21975bbf47448b8fa0d4d26ab7944c1f8b
  • 4d21e0d5754e5c9e34598f0afb0efb118f8d2cf48b0299477d5d5384053925a9
  • 3ec6e84dc710bc6c3ff31bb0345c6c3cf2be45cb7b14a69162a71f491136e796
  • 2de16fea5af78d5f1fdb8039efd7fb319d8e233cea8b4c20ea1f13ad380aea1d
  • 2d994b6d56622095a0a5e24481aff9f5aa0fefceb731aa2e3456fcaed34915bc
  • 1f715a97657a547e9eb55878bb0b946c3a2d43b6d467ca60e816853d4d727828
  • 15cb2ef46cbccdf5344d46d58d9260b0c60f898afe9b6cc1881f1b1f2faf27f6
  • 0c552941479737a055ecf8e5e7a33b83eace569f7c9be282c1d7b0a932632f82
  • 0b6f7eb2f6a60e7912068c4e066f41d5088855e9a350d871ebc5b2b487972e08
  • 024982c7b27f1472856d1c1d9dffb33c7604b1aaecf168061ac62797dce8f297

Intrusion sets (APT) (1)

  • koneko
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:54 · Modified 21/12/2025 18:54

Techniques (MITRE) (20)

Malware (2)

  • 123 Stealer
    Family
    Published 21/01/2026 12:36 · Modified 21/01/2026 12:36
  • Tsundere Bot
    Family
    Published 28/01/2026 18:26 · Modified 28/01/2026 18:26

External references