Tsundere Botnet

MITRE

Malware Type:
Other

First seen:
Unknown

Last seen:
Unknown

Details:

[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.

A variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js. (Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025)

Associated Techniques (17)

ID	ATT&CK	Tactics
T1027.010	Command Obfuscation	-
T1027.013	Encrypted/Encoded File	-
T1036.005	Match Legitimate Resource Name or Location	-
T1059.001	PowerShell	-
T1059.007	JavaScript	-
T1071.001	Web Protocols	-
T1082	System Information Discovery	-
T1102.001	Dead Drop Resolver	-
T1105	Ingress Tool Transfer	-
T1140	Deobfuscate/Decode Files or Information	-
T1195.001	Compromise Software Dependencies and Development Tools	-
T1218.007	Msiexec	-
T1480	Execution Guardrails	-
T1547.001	Registry Run Keys / Startup Folder	-
T1564.003	Hidden Window	-

Aliases (25)

DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor DinDoor

Used by Actors (1)

MuddyWater
Nation-state

Metadata

ID:	164139
Created:	28/04/2026 16:00
Updated:	10/05/2026 16:00