TA584 threat actor leverages Tsundere Bot and XWorm for network access

TA584, an initial access broker tracked since 2020, has escalated activity by distributing Tsundere Bot and XWorm via phishing emails sent from compromised accounts and mass-mailing services (SendGrid, Amazon SES). The attack chain uses redirectors (e.g., Keitaro), geofencing and IP filters, CAPTCHA gating, and a PowerShell one-liner that loads malware into memory; Tsundere Bot gathers system data, can execute arbitrary code, and retrieves C2 addresses via the Ethereum blockchain. The campaign has expanded geographically into Europe and Australia and is likely designed to provide initial access for ransomware and other criminal operations.