Cybersecurity researchers have disclosed a new Rust-based backdoor named ChaosBot that lets operators perform reconnaissance and run arbitrary commands on compromised Windows hosts, while a related Chaos-C++ ransomware family has evolved with destructive and clipboard-hijacking capabilities. eSentire, which first detected ChaosBot in late September 2025 within a financial services environment, says attackers used compromised credentials — including those mapped to Cisco VPN and an over-privileged Active Directory account named serviceaccount — to move laterally, execute remote commands with WMI, and deploy ChaosBot across the network. Multiple distribution techniques have been observed: phishing messages containing malicious Windows shortcut (LNK) files that trigger PowerShell to download the payload, and credential-based intrusions that leverage existing access to push the malware. Victims who open the LNK are shown a decoy PDF purporting to be legitimate correspondence from State Bank of Vietnam while the backdoor silently installs.
ChaosBot stands out because it abuses Discord as its primary command-and-control channel. The malware contacts Discord profiles controlled by the operator — including an account using the handle chaos_00019 and a secondary account lovebb0024 — and listens on channels named after infected machines for instructions. Operators can issue shell commands via PowerShell, capture screenshots, download and upload files, and execute other remote tasks. The payload commonly appears as a malicious DLL called msedge_elf.dll that is sideloaded via a Microsoft Edge binary named identity_helper.exe. After initial reconnaissance, ChaosBot also downloads a fast reverse proxy to establish persistent reverse proxy access into the compromised environment. Researchers noted attempts to configure Visual Studio Code Tunnel as an additional backdoor, though those attempts were not always successful. Newer variants incorporate evasion mechanisms that patch ntdll!EtwEventWrite to blunt Event Tracing for Windows and check MAC address prefixes associated with VMware and VirtualBox to avoid running inside virtual machines.
Closely related activity from attackers using Chaos tooling has produced a C++ variant of Chaos ransomware that shifts from pure encryption to a mixed, more destructive model. Fortinet FortiGuard Labs describes Chaos-C++ as capable of irrevocably deleting large files rather than encrypting them and of hijacking clipboard contents to swap legitimate Bitcoin addresses with attacker-controlled wallets. This dual approach — destructive file deletion combined with covert redirection of cryptocurrency payments — increases pressure on victims and can multiply financial harm. The ransomware downloader often masquerades as bogus utility installers such as System Optimizer v2.1, and earlier Chaos variants were distributed under false pretenses like fake OpenAI ChatGPT or InVideo AI tools. Once executed, Chaos-C++ checks for a sentinel file at %APPDATA%\READ_IT.txt to decide between monitoring clipboard activity and initiating a full encryption routine; when run with administrative privileges it disables recovery features and encrypts files under about 50 MB while omitting mid-sized files up to 1.3 GB, and it deletes files larger than that threshold in some destructive variants.
Researchers warn that the combined toolkit represents a resilient and adaptable threat: modular backdoors that communicate over legitimate platforms such as Discord, covert download and sideload techniques that abuse trusted binaries, and ransomware that blends encryption with outright destruction and financial theft. Organizations should prioritize credential hygiene, multifactor authentication, strict privilege management for service accounts, and robust phishing defenses to limit initial access. Monitoring for unusual uses of developer and collaboration platforms, scanning for suspicious DLL sideloading, and keeping telemetry enabled to detect ETW patching attempts are also recommended steps for defenders confronting this emergent threat.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
