Kaspersky Reveals 'Tsundere' Botnet Targeting Windows Users

JAKARTA - Kaspersky Global Research and Analysis Team (GREAT) has discovered a new botnet created by threat actors that reappeared in July 2025.

Called bitnet Tsundere, attackers usually use Microsoft Windows Installer (MSI) installers disguised as fake settings for popular games such as Valorant, CS2, or R6x, as well as other software.

This botnet is developing and poses an active threat to Windows users. This botnet has been detected by Kaspersky in Mexico, Chile, Russia, and Kazakhstan.

Butnet Tsundere uses Web3's smart contract to store the command-and-control (C2) address, which makes botnet infrastructure more resistant to disruption. Its C2 panel supports two ways of spreading, namely MSI installer and PowerShell script with automatic implants.

This implant installs a bot that can run a dynamically transmitted malicious JavaScript code via an encrypted WebSocket. To manage the infection, Tsundere uses a predetermined Ethereum wallet and contract.

"Tsundere shows how quickly cybercriminals adapt: this is a new attempt by threat actors who are allegedly identified to overhaul their devices," said Leandro Ubiedo, senior security expert at Kaspersky's Global Research and Analysis Team.

This analysis shows with high confidence that the perpetrators of the threat behind the Tsundere botnet are likely to speak Russian, as shown by the use of Russian in code, in line with previous attacks related to the same perpetrators.

The study also shows the existence of a relationship between the Tsundere botnet and 123 Stealers created by the 'koneko', which is offered in an underground forum for 120 US dollars or around Rp. 2 million.

"We have seen active distribution through fake game installers and links to previously observed malicious activity, so further development by this botnet is very likely to occur," said Lisandro Ubiedo.