TA584 Initial Access Broker Expands Operations with Tsundere Bot and XWorm in Ransomware-Linked Campaigns A prolific initial access broker (IAB) tracked as TA584 has escalated its activity, deploying the Tsundere Bot malware alongside the XWorm remote access trojan (RAT) to compromise networks likely as a precursor to ransomware attacks. Researchers at Proofpoint, who have monitored the group since 2020, report a threefold increase in TA584’s campaign volume in late 2025, expanding its targeting beyond traditional regions (North America, UK/Ireland) to include Germany, other European countries, and Australia. ### Attack Chain & Tactics TA584’s latest campaigns begin with phishing emails sent via compromised, aged accounts using SendGrid and Amazon SES. Each target receives a unique URL, with geofencing, IP filtering, and redirect chains (often leveraging Keitaro TDS) to evade detection. Victims who bypass these filters encounter a CAPTCHA page, followed by a ClickFix prompt instructing them to execute a PowerShell command a tactic designed to bypass static defenses. The command fetches an obfuscated script that loads XWorm or Tsundere Bot into memory, while the browser redirects to a benign site to mask the infection. TA584 has historically deployed a range of payloads, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT (still observed in 2025). ### Tsundere Bot: A Malware-as-a-Service Threat Originally documented by Kaspersky in 2024 and linked to a Russian-speaking operator (with ties to 123 Stealer), Tsundere Bot functions as both a backdoor and loader. Key features include: - Node.js dependency: The malware installs Node.js on victim systems via its command-and-control (C2) panel. - Blockchain-based C2 retrieval: Uses a variant of EtherHiding to fetch C2 addresses from the Ethereum blockchain, with a hardcoded fallback. - WebSocket communication: Evades traditional network monitoring. - Geofencing: Aborts execution if the system locale matches CIS (Commonwealth of Independent States) languages, suggesting Russian origin. - Data exfiltration & lateral movement: Collects system information, executes arbitrary JavaScript, and can turn infected hosts into SOCKS proxies. - Bot marketplace: Operators can buy and sell access to compromised machines. ### Broader Implications Proofpoint assesses with high confidence that Tsundere Bot infections could lead to ransomware deployment, given TA584’s history of facilitating such attacks. The group’s expanded targeting and experimentation with payloads suggest a growing threat, with researchers anticipating further diversification in victims and attack methods.