New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims' PCs - The Hacker News

A recent discovery by cybersecurity researchers has unveiled a new malware named ChaosBot, crafted in Rust, which poses a significant threat by allowing cybercriminals to conduct reconnaissance and execute arbitrary commands on compromised systems. This malware was first identified by the Canadian cybersecurity firm eSentire in late September 2025 while monitoring a financial services client's network.

ChaosBot is particularly noteworthy for its novel use of Discord channels as a command-and-control (C2) mechanism. This innovative approach enables the threat actors to issue remote commands via Discord profiles, notably one under the alias "chaos_00019". Another associated Discord user, "lovebb0024", also plays a role in the C2 operations.

The malware spreads through phishing messages that include a malicious Windows shortcut (LNK) file. When the recipient opens this file, a PowerShell command is executed, leading to the download and execution of ChaosBot. Meanwhile, a decoy PDF, masquerading as legitimate communication from the State Bank of Vietnam, serves as a distraction.

The core payload, a malicious DLL named "msedge_elf.dll", is sideloaded via Microsoft's "identity_helper.exe" binary. Once deployed, it conducts system reconnaissance and uses a fast reverse proxy (FRP) to maintain persistent access to the network. Additionally, attempts were made to configure a Visual Studio Code Tunnel service as a secondary backdoor.

ChaosBot's capabilities include executing shell commands, capturing screenshots, and transferring files, all coordinated through a Discord channel named after the victim's computer. Sophisticated evasion methods are employed to bypass Event Tracing for Windows (ETW) and detect virtual environments, ensuring the malware remains undetected.

In a related development, Fortinet FortiGuard Labs has reported on a new ransomware variant of Chaos, written in C++, which introduces destructive features and financial theft capabilities. This variant not only encrypts files but can also delete files larger than 1.3 GB and hijack clipboard content to redirect cryptocurrency transactions. This evolution marks Chaos as a more aggressive threat, combining destructive tactics with financial fraud.

The Chaos-C++ ransomware disguises itself as utilities like System Optimizer v2.1, tricking users into installation. It checks for a specific file to determine if it has been previously executed and, if not, proceeds with encryption operations. This variant employs a mix of encryption techniques and ensures robust execution, making it a formidable threat.

Stay informed about the latest cybersecurity threats by following us on Google News, Twitter, and LinkedIn.

Source: The Hacker News