In late September 2025, cybersecurity researchers identified a new Rust-based backdoor malware named ChaosBot, which leverages Discord channels for command-and-control (C2) operations. This sophisticated malware enables attackers to perform reconnaissance and execute arbitrary commands on compromised systems.
Initial Detection and Deployment
The Canadian cybersecurity firm eSentire first detected ChaosBot within a financial services client’s network. Attackers gained access by exploiting compromised credentials associated with both Cisco VPN and an over-privileged Active Directory account named serviceaccount. Utilizing these credentials, they employed Windows Management Instrumentation (WMI) to execute remote commands across the network, facilitating the deployment and execution of ChaosBot.
Command-and-Control via Discord
A distinctive feature of ChaosBot is its use of Discord for C2 operations. The malware derives its name from a Discord profile maintained by the threat actor, known by the alias chaos_00019, who issues remote commands to infected devices. Another Discord user account linked to C2 activities is lovebb0024.
Distribution Methods
ChaosBot employs multiple distribution vectors:
1. Phishing Campaigns: The malware is disseminated through phishing emails containing malicious Windows shortcut (LNK) files. When recipients open these LNK files, a PowerShell command executes to download and run ChaosBot. Simultaneously, a decoy PDF, masquerading as legitimate correspondence from the State Bank of Vietnam, is displayed to divert attention.
2. DLL Sideloading: The payload, a malicious DLL named msedge_elf.dll, is sideloaded using the Microsoft Edge binary identity_helper.exe. Once executed, it conducts system reconnaissance and downloads a fast reverse proxy (FRP) to establish a reverse proxy into the network, ensuring persistent access.
Malware Capabilities
ChaosBot’s primary function is to interact with a Discord channel created by the operator, named after the victim’s computer, to receive further instructions. Supported commands include:
– shell: Executes shell commands via PowerShell.
– scr: Captures screenshots.
– download: Downloads files to the victim’s device.
– upload: Uploads files to the Discord channel.
Evasion Techniques
New variants of ChaosBot incorporate evasion techniques to bypass Event Tracing for Windows (ETW) and virtual machine detection:
1. ETW Bypass: The malware patches the initial instructions of `ntdll!EtwEventWrite` (replacing them with `xor eax, eax` followed by `ret`) to disable event tracing.
2. Virtual Machine Detection: ChaosBot checks the system’s MAC addresses against known virtual machine prefixes for VMware and VirtualBox. If a match is found, the malware terminates its execution.
Evolution of Chaos Ransomware
In a related development, Fortinet FortiGuard Labs detailed a new variant of Chaos ransomware written in C++. This iteration introduces destructive capabilities, such as irreversibly deleting large files instead of encrypting them, and manipulates clipboard content by replacing Bitcoin addresses with those controlled by the attacker to redirect cryptocurrency transfers.
This dual strategy of destructive encryption and covert financial theft underscores Chaos’ transition into a more aggressive and multifaceted threat designed to maximize financial gain.
By incorporating destructive extortion tactics and clipboard hijacking for cryptocurrency theft, attackers aim to position Chaos-C++ ransomware as a potent tool that can not only encrypt files but also delete the content of any file larger than 1.3 GB and facilitate financial fraud.
Conclusion
The emergence of ChaosBot highlights the evolving landscape of cyber threats, where attackers leverage popular platforms like Discord for C2 operations and employ advanced evasion techniques to avoid detection. Organizations must remain vigilant, implement robust security measures, and educate employees about phishing tactics to mitigate the risks posed by such sophisticated malware.
