And the arguments have already started.

The US Commodity Futures Trading Commission (CFTC) announced on Thursday that spot crypto asset contracts will soon be available for trading on futures exchanges that are registered with the agency, aligning with the positive regulatory changes championed by President Donald Trump’s administration. 

Crypto Sprint Progress

The CFTC disclosed that this recent decision follows recommendations from the President’s Working Group on Digital Asset Markets and insights gathered from the CFTC’s Crypto Sprint initiative, as well as collaborative efforts with the Securities and Exchange Commission (SEC). 

Acting CFTC Chairman Caroline Pham highlighted the importance of providing Americans with access to safe and regulated markets, stating, “Recent events on offshore exchanges have shown us how essential it is for Americans to have more choice and access to safe, regulated US markets.”

In addition to the introduction of spot trading, the Crypto Sprint initiative includes measures to enable tokenized collateral—such as stablecoins—within derivatives markets. 

The CFTC also plans to implement regulatory updates to facilitate the use of blockchain technology in various operational areas, including collateral, margin, clearing, settlement, reporting, and recordkeeping.

Historic Shift In CFTC’s Digital Asset Trading Move

Market expert MartyParty on social media stated that this latest move is an historic decision that will empower retail and institutional traders to buy, sell, and leverage crypto assets directly on CFTC-registered exchanges. MartyParty further noted:

It’s the culmination of years of regulatory groundwork, including a joint SEC-CFTC statement clarifying that existing laws already permit such trading on registered venues.

Pham remarked on the collaborative efforts of the administration, stating that President Trump’s leadership has fostered a comprehensive plan for the US to reclaim its status as a global leader in digital asset markets. As she noted, “The CFTC has a central role to play” in this initiative.

Featured image from DALL-E, chart from TradingView.com 

Now if that isn't late-stage capitalism, I don't know what is.

Leading banking institutions in traditional finance (TradFi) are reportedly partnering with US-based cryptocurrency exchange Coinbase (COIN) to explore pilots related to stablecoins, custody solutions, and trading options. 

Coinbase CEO Brian Armstrong announced this during his appearance at the New York Times Dealbook Summit on Wednesday, as reported by Bloomberg.

Coinbase CEO Cautions Banks On Crypto Resistance

Armstrong emphasized that leading financial institutions recognize this as an opportunity for growth. “The best banks are leaning into this as an opportunity,” he stated, although he refrained from naming any specific banks involved in these initiatives. 

During his speech, the executive also voiced his concerns about institutions that resist participating in the digital asset ecosystem. He asserted that those who oppose it will be left behind.

This sentiment aligns with remarks Armstrong made six months ago, where he predicted that eventually, every major bank would integrate cryptocurrency into their operations. 

He views this technology as a means to modernize the financial system, stating, “We can power a variety of things for them.” He noted that some banks are looking for custodial solutions, while others are interested in developing their own stablecoins.

COIN Shares Surge 5%

Adding weight to this discussion, Larry Fink, CEO of the world’s largest asset manager and crypto exchange-traded fund (ETF) issuer BlackRock, participated in the event alongside Armstrong. 

Fink, who previously voiced skepticism about cryptocurrencies, described Bitcoin (BTC) as a safe haven asset despite the cryptocurrency’s crash toward $83,000 on Monday. 

“You own Bitcoin because you’re frightened of your physical security. You own it because you’re frightened of your financial security,” he remarked. 

On the financial side, Coinbase’s stock performance reflects the positive sentiment in the cryptocurrency market amid recovering prices. Trading under the ticker COIN on the Nasdaq, Coinbase’s shares closed Wednesday at nearly $277, marking a 5% increase. 

This uplift coincides with broader gains in the cryptocurrency sector, notably led by the recent price performance of Ethereum (ETH), followed by Bitcoin, XRP, Binance Coin (BNB), and other notable tokens such as Solana (SOL), all of which have shown significant recoveries this week after a challenging month.

Featured image from Shutterstock, chart from TradingView.com

A major Australian crypto industry group has lodged a formal complaint with the Australian Broadcasting Corporation, arguing that recent coverage of Bitcoin contained multiple errors and a biased tone.

According to the industry group, the broadcaster presented a one-sided view that overemphasized criminal usage and volatility while leaving out legitimate uses and data.

ABIB Calls For Corrections And Response Within 60 Days

Based on reports, the Australian Bitcoin Industry Body (ABIB) says it asked ABC to correct specific statements it considers false or misleading, and to publish clarifications. The complaint was made public on December 3, 2025, and ABIB posted about the filing on social media.

The complainants singled out passages that they say described Bitcoin largely as a tool for criminals and painted it as having little or no legitimate use. They pointed to sections that, in their view, ignored examples of Bitcoin being used for grid balancing and for humanitarian transfers.

The Australian Bitcoin Industry Body (ABIB) has lodged a formal complaint with the Australian Broadcasting Corporation (@abcnews) regarding its recent article on Bitcoin.

The piece contained multiple factual errors, misleading claims, and one-sided framing that breach the ABC’s…

— Australian Bitcoin Industry Body (@AusBTCIndBody) December 2, 2025

ABC Coverage Focused On Money-Laundering Concerns

Reports have disclosed that ABC ran pieces discussing the changing role of Bitcoin in illicit flows, including a recent story that examined whether Bitcoin is losing ground to stablecoins such as Tether when used in money-laundering. That report drew particular ire from ABIB.

Industry Group Says Numbers And Context Were Missing

ABIB has argued that some context and figures were omitted from ABC’s coverage. One outlet summarized ABIB’s broader claim that media depiction was skewed at a time when adoption figures — sometimes cited at about 31% nationally in related coverage — should also be part of the public debate.

What Happens Next And Possible Escalation

If ABC does not satisfy ABIB’s complaint within 60 days, the matter could be escalated to Australia’s communications regulator for review. That regulator can investigate whether editorial standards were breached and recommend corrective action or other remedies.

Pushback From Media And Regulators Will Matter

Some newsrooms say robust coverage of risks is their duty. Others in the crypto sector argue that balanced reporting should include both harms and legitimate uses. The dispute highlights tensions as regulators, media and industry all jockey to shape public understanding while new rules for crypto take form.

Headlines And Policy Talk

Reports show ABC has recently run several finance and crypto pieces, including coverage of price moves and policy debates. One ABC item referenced US President Donald Trump in its discussion of political moves that have touched crypto policy. That inclusion was noted in pushback from industry groups.

ABIB Wants Clear Corrections, Not Just Apologies

According to ABIB, the aim is not to silence scrutiny but to ensure facts are correct for readers and for policymakers. The group says accurate public reporting matters because it can shape future regulation and public trust. Multiple news outlets have covered ABIB’s action and quoted its request that ABC publish corrections where errors are found.

Featured image from Unsplash, chart from TradingView

Corporations are in a hurry to pivot to the blockchain, but they're turning up their nose at bitcoin.

Throughout the year, the crypto industry has undergone significant regulatory changes influenced by President Trump’s new policies, alongside a coalition of senators advocating for the adoption and growth of digital assets. 

However, tensions escalated when a group of Democratic senators began to challenge Trump’s policies, claiming that they reflect a significant conflict of interest, but this time, particularly concerning David Sacks, the White House’s AI and Crypto Czar.

White House Crypto Czar Denies Conflicts Of Interest

In a recent statement on social media site X (formerly Twitter), Sacks shared that five months ago, several reporters from The New York Times were assigned to investigate supposed conflicts of interest linked to his role. 

He described how the investigation persisted through numerous “fact checks,” during which they scrutinized various accusations against him. Despite presenting thorough rebuttals, Sacks noted that the published article only included fragments of their responses, while the foundation of the accusations remained largely speculative.

According to the White House’s Crypto Czar, the allegations ranged from a “fabricated dinner” with a notable tech CEO to unfounded claims of promising access to the President and exerting influence over defense contracts. He argued that each time an accusation was disproven, the Times simply shifted to another claim. 

Sacks expressed frustration that, in their pursuit of a “sensational story,” The New York Times overlooked the fact that he has no genuine conflicts of interest to uncover. He described the final article as a “nothing burger,” asserting that it merely pieced together anecdotes that do not substantiate its headline. 

To counter what he deemed a misrepresentation of the facts, Sacks ultimately hired a law firm specializing in defamation law, to assist in addressing these allegations. 

New Bills Could Dismantle Century-Old Banking Practices

Market expert Jack Sage later weighed in on these developments via social media, asserting that US bankers, including JPMorgan, are waging “TOTAL WAR” on Bitcoin. 

Sage pointed out several targets of this new onslaught, including Strategy (previously MicroStrategy), along with key figures such as Strike CEO Jack Mallers, and stablecoin issuer Tether (USDT). 

He indicated that David Sacks is now in the line of fire, characterizing this as a coordinated attack aimed at diminishing a crypto-friendly influence within Trump’s administration.

Sage suggested that the Trump administration seeks to leverage Bitcoin and stablecoins to challenge the banks’ “longstanding monopoly” over the money supply. 

He pointed to potential legislative initiatives such as the GENIUS Act, the upcoming CLARITY Act, and possibly the BITCOIN Act as transformative measures that could shift money creation away from traditional banks and the Federal Reserve (Fed).

These proposed bills, according to Sage, could dismantle the fractional reserve banking system that has existed for over a century. The response from traditional bankers and globalists, Sage noted, has been one of desperation as they confront a reality where they may lose control over monetary systems for the first time.

Featured image from DALL-E, chart from TradingView.com 

In a recent report, Republicans on the House Financial Services Committee unveiled alarming findings related to Operation Chokepoint 2.0, revealing that at least 30 crypto firms have been debanked over the past years. 

The investigation, which began in the 118th Congress, sought to uncover coordinated efforts by the Biden Administration to hinder digital asset businesses and individuals from accessing essential financial services.

Biden Administration’s Actions Against Crypto

The report details how regulators under the Biden Administration employed “vague rules” and excessive discretion to discourage banks from serving clients in the digital asset space. 

The Republicans further asserted that these regulators pressured financial institutions to distance themselves from digital asset clients through informal guidance, enforcement actions, and a lack of clear regulations, removing them from the financial system.

Chairman Hill commented on the implications of this approach, stating, “Targeting Americans over their political views erodes trust in the financial system and undermines the core freedoms our nation was founded on.” 

However, Hill voiced confidence in repairing the damage done by the Biden administration, citing the current era of advancement for digital assets under President Trump, who has already signed one crypto bill—the GENIUS Act—and may soon sign the CLARITY Act.

The report also highlighted that “informal communications,” such as interagency statements and interpretive letters, have specifically been used to discourage banks and other financial entities from working with digital asset firms.

Regulatory Bodies Criticized For Inaction

Key points raised in the report by Republicans include a failure by the Biden Administration to create a clear crypto regulatory regime, which has enabled federal financial regulators to effectively stifle innovation and limit activity within the sector. 

Rather than fostering a supportive environment for digital asset projects, Republicans claim that the administration’s approach leaned toward enforcement-based regulation, which further complicated matters for crypto firms. 

The report underscored the characterization of the digital asset ecosystem by the Biden Administration as prone to volatility and risk, particularly citing concerns over compliance with anti-money laundering (AML). However, Republicans argued that these concerns do not justify the aggressive tactics employed against the industry.

The report also highlighted the roles of key regulators such as the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC). 

These entities, according to the report, failed to establish a coherent regulatory framework for digital assets and have resorted to enforcement actions against companies engaged in this market.

Subcommittee Chair Meuser remarked, “This report documents how Obama-era practices were revived and expanded under President Biden—through pause letters, informal pressure campaigns, and regulation by enforcement that forced U.S. companies offshore.” 

He called attention to the leadership of individuals like President Trump, Secretary Bessent, Vice Chair Bowman, Comptroller Gould, and Acting Chair Hill, who are credited with restoring fairness and clarity in bank supervision. 

While the industry has seen major shifts under President Trump’s administration, Meuser stressed the need for Congress to codify protections against similar actions in the future, to prevent any resurgence of Operation Chokepoint.

Featured image from DALL-E, chart from TradingView.com 

Conflicts are good, actually.

Centralized mixing tools for obscuring crypto transactions are the latest target of authorities.

Trust the dusty old rating agency with the spotty history, or trust the brash young crypto company?

The People’s Bank of China (PBOC) has reaffirmed its commitment against cryptocurrency trading after confirming a resurgence in market speculation. The Chinese apex bank is nudging several government institutions to strengthen their crackdown on business and financial activities involving virtual currencies and curb related illegal operations.

Stablecoins Yet To Meet AML Requirements, China Says

In 2021, China issued a ban on all cryptocurrency trading and mining activities, citing a potential threat to the nation’s financial stability and energy control system. Prior to this policy, the Asian giant had been one of the fastest-growing crypto hubs with the highest mining activity in the world. Four years later, the PBOC has reiterated this hostile stance against virtual assets despite a significant increase in cryptocurrency adoption and regulation globally. This development came on November 28, 2025, in a meeting centered on “The Coordination Mechanism for Combating Cryptocurrency Trading Speculation.”

Notably, this policy discussion involved representatives from 13 government departments and agencies, including the Ministry of Justice, the State Financial Regulatory Commission, and the China Securities Regulatory Commission, among others. While the PBOC acknowledged the steadfast implementation of the government’s “Notice on Further Preventing and Handling Risks of Virtual Currency Trading and Speculation” issued in 2021, they also highlighted an increase in trading speculations and related illicit activities, requiring new methods for risk prevention and control. 

In particular, the meeting reaffirmed that no form of cryptocurrencies qualifies as a legal tender, including stablecoins, which they claim still fail to satisfy certain regulatory requirements.

The statement read:

Virtual currency-related business activities constitute illegal financial activities. Stablecoins are a form of virtual currency, and currently cannot effectively meet requirements for customer identification and anti-money laundering, posing a risk of being used for illegal activities such as money laundering, fundraising fraud, and illegal cross-border fund transfers.

Moving forward, the People’s Bank of China admonished all concerned government institutions to bolster regulatory actions in enforcing the existing prohibitive policy on cryptocurrencies and all related criminal actions, in line with President Xi Jinping’s Thought on Socialism with Chinese Characteristics for a New Era. 

The directive read:

All units should deepen coordination and cooperation, improve regulatory policies and legal basis, focus on key links such as information flow and capital flow, strengthen information sharing, further enhance monitoring capabilities, severely crack down on illegal and criminal activities, protect the property safety of the people, and maintain the stability of the economic and financial order.

Crypto Market Overview 

At the time of writing, the total market crypto cap stands at $3.06, reflecting a 0.12% gain in the last day. Meanwhile, total trading volume is down 32.95% to $81.28 billion.

Dark days for the bros.

"Stop this boring insider trading," one X user complained.

It's cheaper than ever to turn antisocial behavior into big bucks.

Innocent pen testing mistake or premeditated attack?

A move that should have simplified trading is fraught with drama.

And there's an additional Trump family connection.

Introduction

Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created malicious Node.js packages and used the Node Package Manager (npm) to deliver the payload. The packages were named similarly to popular packages, employing a technique known as typosquatting. The threat actor targeted libraries such as Puppeteer, Bignum.js, and various cryptocurrency packages, resulting in 287 identified malware packages. This supply chain attack affected Windows, Linux, and macOS users, but it was short-lived, as the packages were removed and the threat actor abandoned this infection method after being detected.

The threat actor resurfaced around July 2025 with a new threat. We have dubbed it the Tsundere bot after its C2 panel. This botnet is currently expanding and poses an active threat to Windows users.

Initial infection

Currently, there is no conclusive evidence on how the Tsundere bot implants are being spread. However, in one documented case, the implant was installed via a Remote Monitoring and Management (RMM) tool, which downloaded a file named pdf.msi from a compromised website. In other instances, the sample names suggest that the implants are being disseminated using the lure of popular Windows games, particularly first-person shooters. The samples found in the wild have names such as “valorant”, “cs2”, or “r6x”, which appear to be attempts to capitalize on the popularity of these games among piracy communities.

Malware implants

According to the C2 panel, there are two distinct formats for spreading the implant: via an MSI installer and via a PowerShell script. Implants are automatically generated by the C2 panel (as described in the Infrastructure section).

MSI installer

The MSI installer was often disguised as a fake installer for popular games and other software to lure new victims. Notably, at the time of our research, it had a very low detection rate.

The installer contains a list of data and JavaScript files that are updated with each new build, as well as the necessary Node.js executables to run these scripts. The following is a list of files included in the sample:

nodejs/B4jHWzJnlABB2B7
nodejs/UYE20NBBzyFhqAQ.js
nodejs/79juqlY2mETeQOc
nodejs/thoJahgqObmWWA2
nodejs/node.exe
nodejs/npm.cmd
nodejs/npx.cmd

The last three files in the list are legitimate Node.js files. They are installed alongside the malicious artifacts in the user’s AppData\Local\nodejs directory.

An examination of the CustomAction table reveals the process by which Windows Installer executes the malware and installs the Tsundere bot:

RunModulesSetup 1058    NodeDir powershell -WindowStyle Hidden -NoLogo -enc JABuAG[...]ACkAOwAiAA==

After Base64 decoding, the command appears as follows:

$nodePath = "$env:LOCALAPPDATA\nodejs\node.exe";
& $nodePath  - e "const { spawn } = require('child_process'); spawn(process.env.LOCALAPPDATA + '\\nodejs\\node.exe', ['B4jHWzJnlABB2B7'], { detached: true, stdio: 'ignore', windowsHide: true, cwd: __dirname }).unref();"

This will execute Node.js code that spawns a new Node.js process, which runs the loader JavaScript code (in this case, B4jHWzJnlABB2B7). The resulting child process runs in the background, remaining hidden from the user.

Loader script

The loader script is responsible for ensuring the correct decryption and execution of the main bot script, which handles npm unpackaging and configuration. Although the loader code, similar to the code for the other JavaScript files, is obfuscated, it can be deobfuscated using open-source tools. Once executed, the loader attempts to locate the unpackaging script and configuration for the Tsundere bot, decrypts them using the AES-256 CBC cryptographic algorithm with a build-specific key and IV, and saves the decrypted files under different filenames.

encScriptPath = 'thoJahgqObmWWA2',
  encConfigPath = '79juqlY2mETeQOc',
  decScript = 'uB39hFJ6YS8L2Fd',
  decConfig = '9s9IxB5AbDj4Pmw',
  keyBase64 = '2l+jfiPEJufKA1bmMTesfxcBmQwFmmamIGM0b4YfkPQ=',
  ivBase64 = 'NxrqwWI+zQB+XL4+I/042A==',
[...]
    const h = path.dirname(encScriptPath),
      i = path.join(h, decScript),
      j = path.join(h, decConfig)
    decryptFile(encScriptPath, i, key, iv)
    decryptFile(encConfigPath, j, key, iv)

The configuration file is a JSON that defines a directory and file structure, as well as file contents, which the malware will recreate. The malware author refers to this file as “config”, but its primary purpose is to package and deploy the Node.js package manager (npm) without requiring manual installation or downloading. The unpackaging script is responsible for recreating this structure, including the node_modules directory with all its libraries, which contains packages necessary for the malware to run.

With the environment now set up, the malware proceeds to install three packages to the node_modules directory using npm:

• ws: a WebSocket networking library
• ethers: a library for communicating with Ethereum
• pm2: a Node.js process management tool

The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot. Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.

PowerShell infector

The PowerShell version of the infector operates in a more compact and simplified manner. Instead of utilizing a configuration file and an unpacker — as done with the MSI installer — it downloads the ZIP file node-v18.17.0-win-x64.zip from the official Node.js website nodejs[.]org and extracts it to the AppData\Local\NodeJS directory, ultimately deploying Node.js on the targeted device. The infector then uses the AES-256-CBC algorithm to decrypt two large hexadecimal-encoded variables, which correspond to the bot script and a persistence script. These decrypted files, along with a package.json file are written to the disk. The package.json file contains information about the malicious Node.js package, as well as the necessary libraries to be installed, including the ws and ethers packages. Finally, the infector runs both scripts, starting with the persistence script that is followed by the bot script.

Persistence is achieved through the same mechanism observed in the MSI installer: the script creates a value in the HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key that points to itself. It then overwrites itself with a new script that is Base64 decoded. This new script is responsible for ensuring the bot is executed on each login by spawning a new instance of the bot.

Tsundere bot

We will now delve into the Tsundere bot, examining its communication with the command-and-control (C2) server and its primary functionality.

C2 address retrieval

Web3 contracts, also known as smart contracts, are deployed on a blockchain via transactions from a wallet. These contracts can store data in variables, which can be modified by functions defined within the contract. In this case, the Tsundere botnet utilizes the Ethereum blockchain, where a method named setString(string _str) is defined to modify the state variable param1, allowing it to store a string. The string stored in param1 is used by the Tsundere botnet administrators to store new WebSocket C2 servers, which can be rotated at will and are immutable once written to the Ethereum blockchain.

The Tsundere botnet relies on two constant points of reference on the Ethereum blockchain:

• Wallet: 0x73625B6cdFECC81A4899D221C732E1f73e504a32
• Contract: 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b

In order to change the C2 server, the Tsundere botnet makes a transaction to update the state variable with a new address. Below is a transaction made on August 19, 2025, with a value of 0 ETH, which updates the address.

The state variable has a fixed length of 32 bytes, and a string of 24 bytes (see item [2] in the previous image) is stored within it. When this string is converted from hexadecimal to ASCII, it reveals the new WebSocket C2 server address: ws[:]//185.28.119[.]179:1234.

To obtain the C2 address, the bot contacts various public endpoints that provide remote procedure call (RPC) APIs, allowing them to interact with Ethereum blockchain nodes. At the start of the script, the bot calls a function named fetchAndUpdateIP, which iterates through a list of RPC providers. For each provider, it checks the transactions associated with the contract address and wallet owner, and then retrieves the string from the state variable containing the WebSocket address, as previously observed.

The Tsundere bot verifies that the C2 address starts with either ws:// or wss:// to ensure it is a valid WebSocket URL, and then sets the obtained string as the server URL. But before using this new URL, the bot first checks the system locale by retrieving the culture name of the machine to avoid infecting systems in the CIS region. If the system is not in the CIS region, the bot establishes a connection to the server via a WebSocket, setting up the necessary handlers for receiving, sending, and managing connection states, such as errors and closed sockets.

Communication

The communication flow between the client (Tsundere bot) and the server (WebSocket C2) is as follows:

1. The Tsundere bot establishes a WebSocket connection with the retrieved C2 address.
2. An AES key is transmitted immediately after the connection is established.
3. The bot sends an empty string to confirm receipt of the key.
4. The server then sends an IV, enabling the use of encrypted communication from that point on.
   Encryption is required for all subsequent communication.
5. The bot transmits the OS information of the infected machine, including the MAC address, total memory, GPU information, and other details. This information is also used to generate a unique identifier (UUID).
6. The C2 server responds with a JSON object, acknowledging the connection and confirming the bot’s presence.
7. With the connection established, the client and server can exchange information freely.
   1. To maintain the connection, keep-alive messages are sent every minute using ping/pong messages.
   2. The bot sends encrypted responses as part of the ping/pong messages, ensuring continuous communication.

The connections are not authenticated through any additional means, making it possible for a fake client to establish a connection.

As previously mentioned, the client sends an encrypted ping message to the C2 server every minute, which returns a pong message. This ping-pong exchange serves as a mechanism for the C2 panel to maintain a list of currently active bots.

Functionality

The Tsundere bot is designed to allow the C2 server to send dynamic JavaScript code. When the C2 server sends a message with ID=1 to the bot, the message is evaluated as a new function and then executed. The result of this operation is sent back to the server via a custom function named serverSend, which is responsible for transmitting the result as a JSON object, encrypted for secure communication.

The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions.

However, during our observation period, we did not receive any commands or functions from the C2 server, possibly because the newly connected bot needed to be requested by other threat actors through the botnet panel before it could be utilized.

Infrastructure

The Tsundere bot utilizes WebSocket as its primary protocol for establishing connections with the C2 server. As mentioned earlier, at the time of writing, the malware was communicating with the WebSocket server located at 185.28.119[.]179, and our tests indicated that it was responding positively to bot connections.

The following table lists the IP addresses and ports extracted from the provided list of URLs:

IP	Port	First seen (contract update)	ASN
185.28.119[.]179	1234	2025-08-19	AS62005
196.251.72[.]192	1234	2025-08-03	AS401120
103.246.145[.]201	1234	2025-07-14	AS211381
193.24.123[.]68	3011	2025-06-21	AS200593
62.60.226[.]179	3001	2025-05-04	AS214351

Marketplace and control panel

No business is complete without a marketplace, and similarly, no botnet is complete without a control panel. The Tsundere botnet has both a marketplace and a control panel, which are integrated into the same frontend.

The notable aspect of Tsundere’s control panel, dubbed “Tsundere Netto” (version 2.4.4), is that it has an open registration system. Any user who accesses the login form can register and gain access to the panel, which features various tabs:

• Bots: a dashboard displaying the number of bots under the user’s control
• Settings: user settings and administrative functions
• Build: if the user has an active license, they can create new bots using the two previously mentioned methodologies (MSI or PowerShell)
• Market: this is the most interesting aspect of the panel, as it allows users to promote their individual bots and offer various services and functionalities to other threat actors. Each build can create a bot that performs a specific set of actions, which can then be offered to others
• Monero wallet: a wallet service that enables users to make deposits or withdrawals
• Socks proxy: a feature that allows users to utilize their bots as proxies for their traffic

Each build generates a unique build ID, which is embedded in the implant and sent to the C2 server upon infection. This build ID can be linked to the user who created it. According to our research and analysis of other URLs found in the wild, builds are created through the panel and can be downloaded via the URL:

hxxps://idk.1f2e[REDACTED]07a4[.]net/api/builds/{BUILD-ID}.msi.

At the time of writing this, the panel typically has between 90 and 115 bots connected to the C2 server at any given time.

Attribution

Based on the text found in the implants, we can conclude with high confidence that the threat actor behind the Tsundere botnet is likely Russian-speaking. The use of the Russian language in the implants is consistent with previous attacks attributed to the same threat actor.

Furthermore, our analysis suggests a connection between the Tsundere botnet and the 123 Stealer, a C++-based stealer available on the shadow market for $120 per month. This connection is based on the fact that both panels share the same server. Notably, the main domain serves as the frontend for the 123 Stealer panel, while the subdomain “idk.” is used for the Tsundere botnet panel.

By examining the available evidence, we can link both threats to a Russian-speaking threat actor known as “koneko”. Koneko was previously active on a dark web forum, where they promoted the 123 Stealer, as well as other malware, including a backdoor. Although our analysis of the backdoor revealed that it was not directly related to Tsundere, it shared similarities with the Tsundere botnet in that it was written in Node.js and used PowerShell or MSI as infectors. Before the dark web forum was seized and shut down, koneko’s profile featured the title “node malware senior”, further suggesting their expertise in Node.js-based malware.

Conclusion

The Tsundere botnet represents a renewed effort by a presumably identified threat actor to revamp their toolset. The Node.js-based bot is an evolution of an attack discovered in October of last year, and it now features a new strategy and even a new business model. Infections can occur through MSI and PowerShell files, which provides flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat.

Additionally, the botnet leverages a technique that is gaining popularity: utilizing web3 contracts, also known as “smart contracts”, to host command-and-control (C2) addresses, which enhances the resilience of the botnet infrastructure. The botnet’s possible author, koneko, is also involved in peddling other threats, such as the 123 Stealer, which suggests that the threat is likely to escalate rather than diminish in the coming months. As a result, it is essential to closely monitor this threat and be vigilant for related threats that may emerge in the near future.

Indicators of compromise

More IoCs related to this threat are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

File hashes
235A93C7A4B79135E4D3C220F9313421
760B026EDFE2546798CDC136D0A33834
7E70530BE2BFFCFADEC74DE6DC282357
5CC5381A1B4AC275D221ECC57B85F7C3
AD885646DAEE05159902F32499713008
A7ED440BB7114FAD21ABFA2D4E3790A0
7CF2FD60B6368FBAC5517787AB798EA2
E64527A9FF2CAF0C2D90E2238262B59A
31231FD3F3A88A27B37EC9A23E92EBBC
FFBDE4340FC156089F968A3BD5AA7A57
E7AF0705BA1EE2B6FBF5E619C3B2747E
BFD7642671A5788722D74D62D8647DF9
8D504BA5A434F392CC05EBE0ED42B586
87CE512032A5D1422399566ECE5E24CF
B06845C9586DCC27EDBE387EAAE8853F
DB06453806DACAFDC7135F3B0DEA4A8F

File paths
%APPDATA%\Local\NodeJS

Domains and IPs
ws://185.28.119[.]179:1234
ws://196.251.72[.]192:1234
ws://103.246.145[.]201:1234
ws://193.24.123[.]68:3011
ws://62.60.226[.]179:3001

Cryptocurrency wallets
Note: These are wallets that have changed the C2 address in the smart contract since it was created.
0x73625B6cdFECC81A4899D221C732E1f73e504a32
0x10ca9bE67D03917e9938a7c28601663B191E4413
0xEc99D2C797Db6E0eBD664128EfED9265fBE54579
0xf11Cb0578EA61e2EDB8a4a12c02E3eF26E80fc36
0xdb8e8B0ef3ea1105A6D84b27Fc0bAA9845C66FD7
0x10ca9bE67D03917e9938a7c28601663B191E4413
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
0x46b0f9bA6F1fb89eb80347c92c9e91BDF1b9E8CC

An investigation by the ICJ, The New York Times, and 36 partner newsrooms reveals grime beneath the surface of growing legitimacy.

The post Crypto’s $28B Dirty-Money Problem appeared first on TechRepublic.