Tsundere
Tsundere is a Node.js-based botnet/RAT malware family targeting Windows systems. It is delivered via fake or phony MSI installers that install Node.js and legitimate libraries, then execute JavaScript payloads. Reported functionality includes establishing persistence, arbitrary JavaScript code execution on infected hosts, receiving attacker-supplied JavaScript over a WebSocket-based command-and-control channel, filesystem and OS command execution, and data exfiltration. Multiple reports describe its use of blockchain-based C2 resolution: Tsundere or closely related variants use Ethereum/EtherHiding logic to retrieve or refresh C2 server details before validating the address and establishing a WebSocket connection, enabling infrastructure rotation and resilience.
The malware has been referred to as Tsundere and also as DinDoor/Dindoor in some reporting. Check Point assessed DinDoor as a new variant of the MuddyWater-linked Tsundere botnet. JUMPSEC reported that a PowerShell loader delivered Tsundere alongside other TAG-150/CastleRAT platform components, and eSentire/Atos-linked reporting noted Tsundere samples with EtherHiding logic and code commonalities with EtherRAT. Tsundere has been associated in reporting with Iranian state-linked activity, particularly MuddyWater/APT34, although other reporting noted attribution is not conclusive and suggested possible Russian-speaking development based on similarities to a prior Russian npm campaign. One report also stated Tsundere shared infrastructure with the 123 Stealer C2 panel.
Observed infection chains include malicious MSI installers and PowerShell-based loaders. One Hunt.io-referenced case described a malicious file used to establish persistence and deploy Tsundere, and another noted communications with 185.236.25.119:3001; that IP was flagged due to logins to Tsundere botnet panels on ports 80 and 3000. High-confidence behavioral details directly mentioned in the source include Windows targeting, Node.js runtime use, WebSocket C2, blockchain/Ethereum-based C2 discovery, persistence establishment, and execution of arbitrary JavaScript code.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In these intrusions, the group used a previously unseen backdoor called DinDoor, which is a new variant of the MuddyWater-linked Tsundere botnet, according to Check Point.
During the engagement, TRU found on that server a malicious file with functionality to establish persistence and deploy the Tsundere botnet malware, which also integrates the “EtherHiding” C2 resolution logic.
The same PowerShell loader has also been found to deliver a botnet malware referred to as Tsundere (aka Dindoor). According to JUMPSEC, both ChainShell and Tsundere are separate TAG-150 platform components that are deployed along with CastleRAT.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Execution
4 techniques
Execution
In these intrusions, the group used a previously unseen backdoor called DinDoor, which is a new variant of the MuddyWater-linked Tsundere botnet, according to Check Point.
Central to the operations is a PowerShell deployer ("reset.ps1") that deploys a previously undocumented JavaScript-based malware called ChainShell...
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Command and Control
3 techniques
Command and Control
Central to the operations is a PowerShell deployer ("reset.ps1") that deploys a previously undocumented JavaScript-based malware called ChainShell, which then contacts a smart contract on the Ethereum blockchain to retrieve a C2 address and use it to fetch next-stage JavaScript code for execution on compromised hosts.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Botnet malware noted here for integrating the EtherHiding C2 resolution logic and sharing extensive code commonalities with EtherRAT.
Botnet malware delivered by the same PowerShell loader and deployed alongside CastleRAT as part of TAG-150 platform components.
Botnet family linked to MuddyWater; referenced as the lineage for the DinDoor backdoor variant.
Botnet linked to MuddyWater; DinDoor is described as a new variant of it.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.