Threat Intelligence Report: MuddyWater APT Leveraging Tsundere Botnet with Ethereum-Based C2 Infrastructure

CyberDefender 12 mins0

1. Executive Summary

In March 2026, analysts investigated an exposed web server directory that appeared to be associated with the Iranian state-sponsored threat group MuddyWater. This threat actor has been active since at least 2017 and is widely known for conducting cyber-espionage operations targeting organizations worldwide.

During the investigation, researchers discovered a malicious PowerShell script that deploys the Tsundere botnet along with a persistence mechanism. Tsundere allows attackers to execute arbitrary commands on infected machines and uses an advanced command-and-control (C2) discovery technique called EtherHiding, where C2 infrastructure is stored in Ethereum blockchain smart contracts.

Evidence suggests the Tsundere malware may originate from a Russian Malware-as-a-Service (MaaS) ecosystem. This conclusion is supported by embedded checks within the malware that terminate execution if the victim system is located in CIS countries or Ukraine.

The campaign demonstrates how MuddyWater integrates third-party malware services into its operations while combining them with its own delivery infrastructure.

2. Threat Actor Overview

Threat Group: MuddyWater
Origin: Iran (state-sponsored)
Active Since: ~2017
Primary Objective: Cyber espionage and intelligence collection

MuddyWater has historically targeted organizations across multiple sectors and geographic regions. The group frequently uses PowerShell-based loaders, custom malware, and open-source tooling to compromise victim networks and maintain persistence.

The use of the Tsundere botnet in this campaign indicates that the group is leveraging externally developed MaaS tools, including those potentially created by Russian threat actors.

3. Initial Access and Stager Analysis

The investigation identified a PowerShell script named reset.ps1, which acts as a malware stager.

This script is responsible for:

  • Decoding encrypted payloads
  • Decrypting them using AES encryption
  • Executing two JavaScript-based malware components

Deployed Components

ComponentFile NameFunction
Tsundere Botnetsysuu2etiprun.jsMain malware payload
Persistence ModuleVfZUSQi6oerKau.jsMaintains long-term access

The script contains a function called bxgdbzgf, which performs AES decryption using three inputs:

  1. Hex-encoded encrypted payload
  2. Base64-encoded AES key
  3. Base64-encoded AES initialization vector (IV)

The function runs twice:

  • First to decrypt the Tsundere botnet
  • Second to decrypt the persistence module

Researchers reproduced the decryption process using CyberChef, which successfully extracted both payloads using the AES key and IV embedded in the script.

4. Tsundere Botnet Technical Analysis

The Tsundere botnet establishes encrypted communication with its command-and-control infrastructure using:

  • WebSockets
  • AES-256-CBC encryption

Instead of embedding the C2 server address directly in the malware, Tsundere retrieves it dynamically from the Ethereum blockchain.

This approach uses a technique called EtherHiding, where blockchain smart contracts store the encoded C2 address.

5. Regional Execution Restrictions

Before retrieving the C2 address, the malware checks the system language of the infected device.

The following PowerShell command is used:

powershell.exe -Command "[System.Globalization.CultureInfo]::InstalledUICulture.Name"

If the system language corresponds to any of the following countries, the malware immediately stops execution:

  • Armenia
  • Belarus
  • Kazakhstan
  • Kyrgyzstan
  • Moldova
  • Russia
  • Ukraine

This behavior is commonly seen in malware developed by actors who want to avoid infecting systems located within their own geopolitical region.

6. Blockchain-Based C2 Infrastructure

The Tsundere malware retrieves C2 information from a smart contract using multiple Ethereum RPC providers.

Identified Blockchain Components

Ethereum Wallet

0x002E9EB388CBD72BAD2E1409306AF719D0DB15E4

Smart Contract

0x2B77671CFEE4907776A95ABBB9681EEE598C102E

The malware queries multiple RPC endpoints simultaneously and selects the most frequently returned C2 address.

RPC Providers Used

7. Identified Command and Control Servers

Analysis of smart contract transactions revealed two Tsundere C2 servers:

IP AddressASNProvider
193.17.183.126400992ZhouyiSat Communications
185.236.25.119400992ZhouyiSat Communications

Three transactions from the wallet to the smart contract revealed these addresses.

8. Victim Fingerprinting

After connecting to the C2 server, the malware receives:

  • a 32-byte AES encryption key
  • a 16-byte AES initialization vector

The malware then generates a Hardware ID (HWID) for the infected machine.

The HWID is created by hashing a JSON object containing detailed system fingerprint information using SHA-256.

Collected System Information

  • Username
  • Computer name
  • Operating system platform
  • OS architecture
  • CPU model
  • GPU model
  • MAC address
  • Total RAM
  • Node.js version
  • Windows version
  • Volume serial number
  • BIOS information
  • Machine GUID

The HWID and collected fingerprint data are sent to the command-and-control server.

9. System Information Collection Commands

The malware gathers system information using built-in Windows utilities.

GPU Information

powershell.exe -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"

Windows Version

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName

Volume Serial Number

vol

BIOS Information

reg.exe query "HKLM\HARDWARE\DESCRIPTION\System\BIOS"

Machine GUID

reg.exe query "HKLM\SOFTWARE\Microsoft\Cryptography" /v MachineGuid

10. Command Execution Mechanism

All communications between the infected host and the C2 server are encrypted using AES-256.

Responses from the C2 are delivered as JSON objects containing an id field.

ID ValueFunction
1JavaScript code execution
“pong”Heartbeat response

When executable code is received, the malware dynamically creates a new JavaScript function from the message content and immediately executes it using .call().

11. Persistence Module Analysis

The persistence component (VfZUSQi6oerKau.js) prepares the environment for the malware to run.

Installed Dependencies

The module also checks whether Node.js and NPM are installed on the system.

If the environment is valid, it executes the Tsundere payload using:

  • spawn, or
  • execSync as a fallback method.

12. Registry Persistence

Persistence is established by creating a new entry within the Windows Run registry key.

Example command:

powershell -Command "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name '9f3a7c1d4b2e8a0c6d5f1e9a3c7b0d12' -Value 'cmd.exe /c "C:\Users\<USERNAME>\AppData\Local\Nodejs\node-v18.17.0-win-x64\node.exe" " C:\Users\<USERNAME>\AppData\Local\Nodejs\VfZUSQi6oerKau.js"'"

The registry value name is a randomly generated 32-character hexadecimal string.

Analysts also observed that Russian language strings appear frequently within the persistence module.

13. Key Findings

  • MuddyWater deployed the Tsundere botnet using a PowerShell stager and Node.js persistence module.
  • The malware relies on blockchain-based C2 discovery through EtherHiding.
  • Tsundere contains language-based execution checks that prevent infection in CIS countries.
  • The JavaScript payloads were likely obfuscated using the public tool Obfuscator.io.

14. Security Recommendations

Organizations should implement the following defensive measures:

  1. Block cryptocurrency RPC providers commonly used for malware infrastructure.
  2. Deploy Endpoint Detection and Response (EDR) or Next-Generation Antivirus (NGAV) solutions.
  3. Implement continuous monitoring through Managed Detection and Response (MDR) services.
  4. Monitor for suspicious PowerShell activity and Node.js execution in user directories.

15. Indicators of Compromise

C2 Infrastructure

TypeValue
IPv4193.17.183.126
IPv4185.236.25.119

Malware Files

SHA256 HashDescription
7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6PowerShell Stager reset.ps1
6a19953b6bb1b4eedb8beba5f9e1f4d1eb64a283a5f90f0deeba89593a3ca9f4Tsundere sysuu2etiprun.js (obfuscated)
dd87dfb302501e3cbe2e59fca9e14bfd53e65ed313c1b70e4d7daf68d86386ffTsundere sysuu2etiprun.js (deobfuscated)
e3c0ffeb5fcaab75bb2cf32c930e32b3f219325cb72ba813a033531aa2ff0305Persistence Module VfZUSQi6oerKau.js (obfuscated)
df8b94f7b3399b005cb64e879cfe04bfc3ba1499cf98608c10e532dbb493fa8dPersistence Module VfZUSQi6oerKau.js (deobfuscated)

CyberDefender