Tsundere Botnet Targets Windows Users with JavaScript Code

Cybersecurity researchers have identified an expanding botnet called Tsundere that targets Windows users. Active since mid-2025, the botnet executes arbitrary JavaScript code from a C2 server. The malware is spread through MSI installers and PowerShell scripts, often disguised as popular game installers. It uses the Ethereum blockchain to fetch C2 server details, ensuring resilience. The botnet's control panel allows users to manage bots, create new artifacts, and even buy and sell botnets. The threat actor behind Tsundere is believed to be Russian-speaking, with connections to other malicious activities.