Cybersecurity researchers have revealed details of a new Rust-based backdoor called ChaosBot. This allows operators to perform reconnaissance and execute arbitrary commands on compromised hosts.
“Threat actors exploited compromised credentials mapped to both Cisco VPN and an overprivileged Active Directory account named ‘serviceaccount,'” eSentire said in a technical report published last week. “The compromised accounts were used to leverage WMI to execute remote commands across systems within the network, facilitating the deployment and execution of ChaosBot.”
The Canadian cybersecurity firm said it first detected the malware within a financial services customer’s environment in late September 2025.
ChaosBot is notable for its abuse of Discord for command and control (C2). The name comes from a Discord profile managed by the attacker behind the online name “chaos_00019”, which is responsible for issuing remote commands to infected devices. The second Discord user account associated with C2 operations is lovebb0024.
Alternatively, this malware has been observed to rely on phishing messages that include malicious Windows Shortcut (LNK) files as distribution vectors. When the message recipient opens the LNK file, a PowerShell command is executed to download and execute ChaosBot, which then displays a decoy PDF disguised as a legitimate communication from the State Bank of Vietnam as a distraction mechanism.
The payload is a malicious DLL (‘msedge_elf.dll’) that is sideloaded using a Microsoft Edge binary called ‘identity_helper.exe’. It then performs system reconnaissance, downloads Fast Reverse Proxy (FRP), and opens a reverse proxy to your network to maintain permanent access to the compromised network.
The attackers were also found to have used this malware to unsuccessfully configure the Visual Studio Code tunnel service, which acts as an additional backdoor to enable command execution capabilities. However, the main function of the malware is to communicate with a Discord channel created by the operator using the victim’s computer name to receive further instructions.
Some of the supported commands are listed below.
Shell, run shell commands via PowerShell scr, capture screenshots Download, download files to the victim device Upload, upload files to a Discord channel
“New variants of ChaosBot use evasion techniques to evade ETW [Event Tracing for Windows] and virtual machines,” eSentire said.
“The first technique patches the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret). The second technique matches the system’s MAC address with known virtual machine MAC address prefixes in VMware and VirtualBox. If a match is found, the malware exits.”
Chaos ransomware gains destructive clipboard hijacking capabilities
With this disclosure, Fortinet FortiGuard Labs detailed a new Chaos ransomware variant written in C++. The ransomware introduces new destructive capabilities that irrevocably delete large files rather than encrypt them, and manipulate the contents of the clipboard by swapping Bitcoin addresses with attacker-controlled wallets and redirecting cryptocurrency transfers.
“The dual strategy of destructive encryption and covert financial theft highlights Chaos’ transition to a more aggressive, multifaceted threat aimed at maximizing financial gain,” the company said.
By incorporating destructive extortion tactics and clipboard hijacking into cryptocurrency theft, attackers aim to position Chaos-C++ ransomware as a powerful tool that can not only encrypt files, but also delete file contents larger than 1.3 GB to facilitate financial fraud.
The Chaos-C++ ransomware downloader disguises itself as a fake utility like System Optimizer v2.1 to trick users into installing it. It is worth mentioning here that previous versions of Chaos ransomware, such as Lucky_Gh0$t, were distributed under the guise of OpenAI ChatGPT and InVideo AI.
Once launched, the malware checks for the presence of a file named “%APPDATA%\READ_IT.txt”. This indicates that ransomware is already running on your machine. If the file exists, it enters a so-called watch mode and keeps a tab on the system clipboard.
If the file does not exist, Chaos-C++ checks to see if it is running elevated, and if so, proceeds to run a series of commands that prevent system recovery and launches an encryption process to fully encrypt files smaller than 50 MB. On the other hand, it will skip files between 50 MB and 1.3 GB in file size, probably for efficiency reasons.
“Rather than relying solely on full file encryption, Chaos-C++ employs a combination of methods, including symmetric or asymmetric encryption and fallback XOR routines,” Fortinet said. “A versatile downloader also ensures successful execution. Combining these approaches makes ransomware execution more robust and less likely to be interrupted.”
Source link
