A prolific initial access broker tracked as TA584 has been observed using the Tsundere Bot alongside XWorm remote access trojan to gain network access that could lead to ransomware attacks.
Proofpoint researchers have been tracking TA584's activity since 2020 and say that the threat actor has significantly increased its operations recently, introducing a continuous attack chain that undermines static detection.
Tsundere Bot was first documented by Kaspersky last year and attributed to a Russian-speaking operator with links to the 123 Stealer malware.
Although the goals and infection method remained murky at the time, Proofpoint says that "the malware can be used for information gathering, data exfiltration, lateral movement, and to install additional payloads."
“Given that Proofpoint has observed this malware used by TA584, researchers assess with high confidence Tsundere Bot malware infections could lead to ransomware,” the researchers note.
TA584 activity in late 2025 tripled in volume compared to Q1 of the same year and expanded beyond the standard targeting scope of North America and the UK/Ireland to include Germany, various European countries, and Australia.
Number of TA584 campaigns
Source: Proofpoint
The currently prevalent attack chain begins with emails sent from hundreds of compromised, aged accounts, delivered via SendGrid and Amazon Simple Email Service (SES).
The emails include unique URLs for each target, geofencing and IP filtering, and a mechanism of redirect chains often involving third-party traffic direction systems (TDS) like Keitaro.
... continue reading