Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts.
“Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, ‘serviceaccount,'” eSentire said in a technical report published last week. “Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot.”
The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer’s environment.
ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker “chaos_00019” and is responsible for issuing remote commands to the infected devices. A second Discord user account associated with C2 operations is lovebb0024.
Alternatively, the malware has also been observed relying on phishing messages containing a malicious Windows shortcut (LNK) file as a distribution vector. Should the message recipient open the LNK file, a PowerShell command is executed to download and execute ChaosBot, while a decoy PDF masquerading as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism.
The payload is a malicious DLL (“msedge_elf.dll”) that’s sideloaded using the Microsoft Edge binary called “identity_helper.exe,” after which it performs system reconnaissance and downloads a fast reverse proxy (FRP) to open a reverse proxy into the network and maintain persistent access to the compromised network.
The threat actors have also been found to leverage the malware to unsuccessfully configure a Visual Studio Code Tunnel service to act as an additional backdoor to enable command execution features. The malware’s primary function, however, is to interact with a Discord channel created by the operator with the victim’s computer name to receive further instructions.
Some of the supported commands are listed below –
- shell, to execute shell commands via PowerShell
- scr, to capture screenshots
- download, to download files to the victim device
- upload, to upload a file to the Discord channel
“New variants of ChaosBot make use of evasion techniques to bypass ETW [Event Tracing for Windows] and virtual machines,” eSentire said.
“The first technique involves patching the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret). The second technique checks the MAC addresses of the system against known Virtual Machine MAC address prefixes for VMware and VirtualBox. If a match is found, the malware exits.”
Chaos Ransomware Gains Destructive and Clipboard Hijacking Features
The disclosure comes Fortinet FortiGuard Labs…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
