Security researchers have identified an emerging botnet named Tsundere. This malicious software is written in Node.js and utilizes a novel approach for its command and control (C2) infrastructure by leveraging the Ethereum blockchain.

The botnet, discovered by experts at Kaspersky, is in an early stage of development and exhibits unique operational mechanics. Its main file is named nya~, a detail noted during its analysis.

Innovative C2 Mechanism via Ethereum Blockchain

Tsundere’s operators use the public Ethereum blockchain to distribute C2 server addresses to infected machines. The C2 addresses are embedded within the input data fields of transactions sent to a specific, hardcoded Ethereum wallet address.

Infected bots do not communicate directly with the wallet. Instead, they query the public Etherscan API to read the transaction history of the hardcoded address. By parsing this immutable data, the bots retrieve the current C2 server information. This method provides a high degree of resilience, as the C2 instructions remain publicly accessible on the blockchain.

Tsundere Botnet: DDoS and Proxy Functionality

The primary functions of the Tsundere botnet observed so far are Distributed Denial of Service (DDoS) attacks and proxying traffic. The bot is equipped with commands to execute several types of DDoS attacks, including udp, http-req, http-rand, and slowloris.

In addition to its DDoS capabilities, a proxy command allows the operators to turn an infected device into a SOCKS5 proxy server. Upon infection, the bot also gathers and transmits basic system information, such as CPU and operating system details, back to the C2 server. The threat actor behind the Tsundere botnet remains unknown.