A dangerous new malware strain, dubbed ChaosBot, is raising alarms in the cybersecurity community for its use of novel techniques, including leveraging Discord channels for command and control (C2).
Written in the Rust programming language, ChaosBot is a stealthy backdoor that allows attackers to issue remote instructions to compromised systems, according to research by eSentire’s Threat Response Unit. The discovery highlights the escalating sophistication of threat actors and the need for more adaptive defense strategies.
Inside the ChaosBot Attack
First detected in a financial services environment in late September 2025, ChaosBot’s initial access was gained through compromised credentials for a Cisco VPN and an over-privileged Active Directory account. This access allowed attackers to use Windows Management Instrumentation (WMI) to execute commands remotely and distribute the malware across the network.
The operators behind ChaosBot, identified by Discord aliases like “chaos_00019” and “lovebb0024,” use Discord channels to communicate with infected machines, allowing them to issue commands such as:
- shell: Executes PowerShell commands on the victim’s device.
- scr: Captures and uploads screenshots.
- download and upload: Transfers files between the attacker and the compromised system.
In other observed cases, attackers deliver the malware through phishing emails containing a malicious Windows shortcut (.LNK) file.
When opened, the LNK file executes a PowerShell script to fetch and run ChaosBot. All while displaying a benign-looking PDF as a decoy.
Advanced Evasion and Persistence
Once active, ChaosBot uses several advanced techniques to evade detection:
- DLL Sideloading: It executes its payload (msedge_elf.dll) by sideloading it using a legitimate Microsoft Edge binary, identity_helper.exe, a technique that helps it blend in with normal system activity.
- Reverse Proxy: The malware establishes a fast reverse proxy (FRP) tunnel into the network, and in some cases attempts to use a Visual Studio Code tunnel, to maintain persistent access.
- Anti-VM checks: It checks for common Virtual Machine MAC addresses and aborts execution if it detects a virtualized environment, a common tactic to thwart analysis by security researchers.
- ETW Patching: The malware patches Event Tracing for Windows (ETW), effectively disabling endpoint detection and response (EDR) tools from monitoring its activity.
ChaosBot: A Broader, Evolving Threat
ChaosBot is part of a larger, evolving threat landscape. The broader Chaos ransomware family, from which ChaosBot likely derives, has also been observed in newer, more destructive variants.
A C++ version of Chaos ransomware can delete large files rather than just encrypting them. It can also hijack the clipboard to swap cryptocurrency addresses, intensifying the financial risk for victims.
Rethinking Defense Strategies
Traditional, signature-based security tools are largely ineffective against such sophisticated and evasive malware. Cybersecurity experts recommend a layered defense that prioritizes behavioral monitoring over static signatures. Recommended strategies include:
- Behavioral Monitoring: Detecting anomalous process and network activity.
- Credential Hygiene: Enforcing strict access controls and multi-factor authentication (MFA) to prevent compromised credentials from being leveraged.
- Endpoint Detection and Response (EDR): Deploying advanced EDR/XDR tools that can monitor for irregular behavior.
- Threat Hunting: Proactively hunting for advanced threats and leveraging telemetry to adapt detection strategies.
As malware authors continue to innovate, defenders must move beyond conventional assumptions. We need more focus on resilient, adaptive security measures to protect against the next wave of advanced threats.