Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts.
“Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, ‘serviceaccount,'” eSentire said in a technical report published last week. “Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot.”
The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer’s environment.
ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker “chaos_00019” and is responsible for issuing remote commands to the infected devices. A second Discord user account associated with C2 operations is lovebb0024.
Alternatively, the malware has also been observed relying on phishing messages containing a malicious Windows shortcut (LNK) file as a distribution vector. Should the message recipient open the LNK file, a PowerShell command is executed to download and execute ChaosBot, while a decoy PDF masquerading as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism.
The payload is a malicious DLL (“msedge_elf.dll”) that’s sideloaded using the Microsoft Edge binary called “identity_helper.exe,” after which it performs system reconnaissance and downloads a fast reverse proxy (FRP) to open a reverse proxy into the network and maintain persistent access to the compromised network.
The threat actors have also been found to leverage the malware to unsuccessfully configure a Visual Studio Code Tunnel service to act as an additional backdoor to enable command execution features. The malware’s primary function, however, is to interact with a Discord channel created by the operator with the victim’s computer name to receive further instructions.
Some of the supported commands are listed below –
- shell, to execute shell commands via PowerShell
- scr, to capture screenshots
- download, to download files to the victim device
- upload, to upload a file to the Discord channel
“New variants of ChaosBot evasion techniques to bypass ETW [Event Tracing for Windows] and virtual machines,” eSentire said.
“The first technique involves patching the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret). The second technique checks the MAC addresses of the system against known Virtual Machine MAC address prefixes for VMware and VirtualBox. If a match is found, the malware exits.”
Chaos Ransomware Gains Destructive and Clipboard Hijacking Features
The disclosure comes Fortinet FortiGuard Labs detailed a new ransomware variant of Chaos written in C++ that introduces new destructive capabilities to irrevocably delete large files rather than encrypting them and manipulate clipboard content by swapping Bitcoin addresses with an attacker-controlled wallet to redirect cryptocurrency transfers.
“This dual strategy of destructive encryption and covert financial theft underscores Chaos’ transition into a more aggressive and multifaceted threat designed to maximize financial gain,” the company said.
By incorporating destructive extortion tactics and clipboard hijacking for cryptocurrency theft, the attackers aim to position Chaos-C++ ransomware as a potent tool that can not only encrypt files, but also delete the content of any file larger than 1.3 GB and facilitate financial fraud.
The Chaos-C++ ransomware downloader poses as bogus utilities like System Optimizer v2.1 to trick users into installing them. It’s worth mentioning here that previous iterations of Chaos ransomware, such as Lucky_Gh0$t, were distributed under the guise of OpenAI ChatGPT and InVideo AI.
Once launched, the malware checks for the presence of a file named “%APPDATA%READ_IT.txt,” which signals that the ransomware has already been executed on the machine. If the file exists, it enters into what’s called a monitoring mode to keep tabs on the system clipboard.
In the event the file is not present, Chaos-C++ checks if it’s running with administrative privileges, and if so, proceeds to run a series of commands to inhibit system recovery, and then launches the encryption process to fully encrypt files that are below 50 MB, while skipping those with a file size between 50 MB and 1.3 GB, presumably for efficiency reasons.
“Rather than relying solely on full file encryption, Chaos-C++ employs a combination of methods, including symmetric or asymmetric encryption and a fallback XOR routine,” Fortinet said. “Its versatile downloader also guarantees successful execution. Together, these approaches make the ransomware execution more robust and harder to disrupt.”
