Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU1 malware family

koneko

Also known askoneko

koneko is a Russian-speaking threat actor attributed by Kaspersky GReAT in connection with the Tsundere botnet. In the provided reporting, a file named reset.ps1 found on infrastructure assessed as belonging to the Iranian APT MuddyWater was identified not as MuddyWater malware but as a Tsundere botnet dropper attributed to koneko, indicating overlap between MuddyWater-operated infrastructure and tooling associated with this actor. The Tsundere botnet used an Ethereum smart contract at 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b to store and rotate C2 addresses. A Tsundere C2 server at 185.236.25[.]119 was also identified, exposing ports 80, 135, 445, 3000, 3001, and 3389. No additional aliases, sub-groups, targeting profile, or broader TTP details for koneko are directly provided in the content beyond this attribution and the botnet infrastructure details.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics16 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0002
Execution
1 technique
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
2 techniques
T1112
Modify Registry
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
1 technique
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0005
Stealth
2 techniques
T1027
Obfuscated Files or Information
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0112
Defense Impairment
1 technique
T1112
Modify Registry
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1102
Web Service
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Tsundere BotnetThe file reset.ps1 on MuddyWater's server is not MuddyWater malware. It is a Tsundere Botnet dropper -- a 2.2 MB heavily obfuscated PowerShell script attributed by Kaspersky GReAT to Russian-speaking threat actor "koneko."1Apr 25, 2026
IOCS

Observables

28 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

28 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables28

Domains, IPs, and hashes tied to this actor, refreshed continuously.