S9034: Tsundere Botnet
Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.
A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js.[1][2][3][4]
Analyst context for executives and security teams
Tsundere Botnet matters because it combines common enterprise execution paths, such as MSI installers, PowerShell, JavaScript, Node.js, and the Deno runtime in the DinDoor variant, with harder-to-govern command-and-control patterns including blockchain-hosted C2 address resolution and web/cloud services. For leaders, the key issue is not just one malware family; it is whether endpoint, network, cloud-egress, and software-supply-chain controls can see scripted execution and external service abuse across Windows, Linux, and macOS.
Executive priority
Prioritize this as a coverage-validation use case for cross-platform endpoint visibility, egress governance, and incident response readiness. The ATT&CK relationships connect the malware to initial access via compromised software dependencies/development tools, execution through PowerShell/JavaScript/MSI, persistence via Windows Run Keys/Startup Folder, C2 through web protocols and dead-drop resolvers, and possible exfiltration to cloud storage. Executives should ask whether teams can prove collection and response across those stages, especially where legitimate runtimes, installers, web traffic, and cloud services may create audit and detection blind spots.
Technical view
SOC and IR teams should validate detections around MSI execution through msiexec, PowerShell script execution, JavaScript/Node.js or Deno runtime activity, encoded or obfuscated files/commands, deobfuscation behavior, system and location discovery, startup persistence, web-based C2, dead-drop resolver behavior, ingress tool transfer, and cloud-storage exfiltration patterns. Because official MITRE detection text is not provided, detection engineering should be relationship-driven and environment-specific rather than signature-only. The MuddyWater relationship and DinDoor variant are useful context for threat intelligence enrichment, but local alerts should be grounded in observed behaviors rather than attribution assumptions.
Likely telemetry
- Endpoint process creation telemetry including command line, parent/child process relationships, and script interpreter activity
- PowerShell logging where applicable, including script block/module visibility if enabled
- Windows Installer and msiexec execution records, including local or remote MSI paths
- File creation/modification telemetry for encoded, encrypted, renamed, or suspiciously located payloads
- Registry Run Key and Startup Folder change events on Windows
Detection direction
- Baseline legitimate use of PowerShell, msiexec, JavaScript runtimes, Node.js, Deno, and package/dependency tooling before alerting on presence alone.
- Correlate script execution with downloaded installers, encoded content, hidden-window behavior, file decoding, persistence changes, and outbound web connections.
- Tune for renamed or misplaced binaries and resources that mimic legitimate names or locations, especially where endpoint naming conventions are well understood.
- Review egress controls for destinations resolved through legitimate external services, including dead-drop resolver patterns, because static blocklists may miss changing C2 addresses.
- Monitor cloud-storage uploads in context of user role, host, volume, timing, and preceding execution/discovery activity to reduce false positives.
Mitigation priorities
- Confirm enterprise-wide collection first: endpoint process, script, file, registry, network, proxy, DNS, and cloud-service logs must be available before measuring coverage.
- Restrict and monitor high-risk execution paths such as PowerShell, msiexec, JavaScript runtimes, Node.js/Deno usage, and unsigned or unexpected installers according to business need.
- Harden software-supply-chain intake by validating dependencies, development tools, and package sources used by the organization.
- Apply least-privilege and application-control principles where feasible to limit unauthorized runtimes, installers, persistence locations, and tool transfer.
- Govern outbound web and cloud-storage access with allowlisting, proxy inspection, anomaly monitoring, and documented business exceptions.
Analyst notes and limits
ATT&CK lists Tsundere Botnet as first reported in mid-2025, delivered by MSI installer or PowerShell script, using Node.js and JavaScript for payload delivery/execution, and using blockchain smart contracts to host C2 addresses. ATT&CK also notes a DinDoor variant linked to MuddyWater operations that uses Deno rather than Node.js. The relationship set provides the most useful defensive framing: execution, stealth, persistence, discovery, C2, ingress transfer, software dependency compromise, and cloud-storage exfiltration.
Official MITRE detection guidance is not provided for this malware object, and tactics are not specified on the object itself. This take relies on the supplied description, external references, and ATT&CK relationships. It does not establish local exposure, active exploitation, confirmed targeting, or guaranteed detection coverage; those require environment-specific telemetry, threat intelligence, and incident evidence.
Tsundere Botnet
Tsundere Botnet is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. Tsundere Botnet is attributed to a likely Russian-speaking threat actor.
A variant named DinDoor has been linked to MuddyWater operations and uses the Deno runtime for execution rather than Node.js.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Tsundere Botnet’s variant DinDoor has used Rclone to access a Wasabi server.CitationCheckpoint_MOISCyberCrime_Mar2026 |
| Enterprise | T1480 | Execution Guardrails | Tsundere Botnet has checked the victim machine’s location to avoid infecting in the Commonwealth of Independent States (CIS) region.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Tsundere Botnet has obtained the WebSocket C2 address by making remote procedure call (RPC) APIs to Ethereum blockchain nodes.CitationSecureListUbiedo_Tsundere_Nov2025CitationCAL_MuddyWater_Mar2026 |
| Enterprise | T1614 | System Location Discovery | Tsundere Botnet has checked the victim machine’s location by obtaining the culture name of the machine.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1195.001 | Compromise Software Dependencies and Development Tools Sub-technique | Tsundere Botnet has used the Node Package Manager (npm) to download malicious packages and to deliver the payload.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1105 | Ingress Tool Transfer | Tsundere Botnet’s loader component has downloaded the zip file node-v18.17.0-win-x64.zip from the official Node.js website, as well as pm2, a Node.js process management tool.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Tsundere Botnet has obtained the C2 address from Ethereum blockchain nodes.CitationSecureListUbiedo_Tsundere_Nov2025CitationCAL_MuddyWater_Mar2026 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Tsundere Botnet has created a value in the `HKCU:\Software\Microsoft\Windows\CurrentVersion\Run` Registry key, ensuring that it is run at login.CitationSecureListUbiedo_Tsundere_Nov2025CitationCAL_MuddyWater_Mar2026 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Tsundere Botnet’s loader contained AES-CBC/PKCS7 encrypted blobs, which were descrypted and written to disk.CitationCAL_MuddyWater_Mar2026 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Tsundere Botnet has the ability to run JavaScript code from the C2 server. Additionally, Tsundere Botnet has used Node.js to execute JavaScript code for the loader component.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Tsundere Botnet has been distributed via a PowerShell script.CitationSecureListUbiedo_Tsundere_Nov2025CitationCAL_MuddyWater_Mar2026 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Tsundere Botnet’s MSI installer has Base64-encoded command execution.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1082 | System Information Discovery | Tsundere Botnet has collected the machine’s MAC address, total memory, GPU information and other system information.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Tsundere Botnet has disguised its MSI installer as a fake installer for popular games and software.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Tsundere Botnet has been distributed via an MSI installer.CitationSecureListUbiedo_Tsundere_Nov2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Tsundere Botnet’s loader has decrypted obfuscated JavaScript files using the AES-256 CBC algorithm, a build-specific key, and initialization vector.CitationSecureListUbiedo_Tsundere_Nov2025CitationCAL_MuddyWater_Mar2026 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Tsundere Botnet’s MSI installer has used `-WindowStyle Hidden` to hide Tsundere Botnet’s execution from the user.CitationSecureListUbiedo_Tsundere_Nov2025 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f6ead6b804a9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Checkpoint_MOISCyberCrime_Mar2026
CheckPoint Research. (2026, March 10). Iranian MOIS Actors & the Cyber Crime Connection. Retrieved March 12, 2026.
Open source URL -
[2]
SOCRadar_MuddyWaterDindoor_Mar2026
SOCRadar. (2026, March 9). MuddyWater Uses Dindoor Malware Targeting U.S. Networks. Retrieved March 12, 2026.
Open source URL -
[3]
CAL_MuddyWater_Mar2026
Ctrl-Alt-Intel. (2026, March 4). MuddyWater Exposed: Inside an Iranian APT operation . Retrieved April 6, 2026.
Open source URL -
[4]
SecureListUbiedo_Tsundere_Nov2025
Ubiedo, L. (2025, November 20). Blockchain and Node.js abused by Tsundere: an emerging botnet. Retrieved April 6, 2026.
Open source URL -
[5]
DinDoor
(Citation: Checkpoint_MOISCyberCrime_Mar2026)
-
[6]
mitre-attack S9034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.