Toronto, October 12, 2025 – Cybersecurity Desk: Cybersecurity researchers have uncovered a new Rust-based backdoor malware dubbed “ChaosBot” that leverages Discord servers for command-and-control (C2) operations, allowing hackers to remotely execute commands, steal files, and maintain persistent access to corporate networks.
The discovery was made by Canadian cybersecurity firm eSentire, which first detected the malware in late September 2025 within the network of a financial services organization. Researchers say ChaosBot represents a growing class of sophisticated, modular threats built to exploit cloud-connected collaboration platforms.
Discord Weaponized: The Rise of ChaosBot
According to eSentire’s technical report, ChaosBot infiltrates networks using compromised credentials linked to both Cisco VPN accounts and over-privileged Active Directory service accounts. Once inside, attackers use Windows Management Instrumentation (WMI) to execute remote commands and deploy the backdoor across systems.
What makes ChaosBot particularly notable is its use of Discord for C2 communications. The operators—identified by Discord handles “chaos_00019” and “lovebb0024”—control infected devices by sending instructions through a private Discord channel uniquely named after each victim’s computer.
Researchers say this technique allows the attackers to blend malicious traffic with legitimate communications, effectively bypassing traditional security filters that rarely flag Discord traffic as suspicious.
Multi-Stage Infection and Stealthy Persistence
ChaosBot primarily spreads through phishing campaigns containing malicious Windows shortcut (LNK) files. When a victim opens the attachment, a PowerShell script downloads and executes the malware, simultaneously displaying a decoy PDF posing as a legitimate document from the State Bank of Vietnam.
The payload, a malicious DLL (“msedge_elf.dll”), is sideloaded via the legitimate Microsoft Edge binary (identity_helper.exe) to evade detection. Once executed, the malware performs system reconnaissance, downloads a Fast Reverse Proxy (FRP) to open backdoors, and attempts to establish persistent network access.
eSentire noted that the attackers also tried to abuse Visual Studio Code’s Tunnel service as an additional backdoor, though unsuccessfully.
Among its core capabilities, ChaosBot can:
- Execute shell commands using PowerShell (
shell
) - Capture screenshots of the victim’s system (
scr
) - Upload and download files (
upload
,download
) - Communicate directly with its operator through Discord
Advanced Evasion Techniques
Researchers observed new ChaosBot variants employing anti-analysis mechanisms to evade sandbox environments and forensic tools. The malware patches Windows’ Event Tracing for Windows (ETW) by modifying system instructions (xor eax, eax → ret
), effectively disabling telemetry logs that could reveal its presence.
Additionally, the malware checks MAC address prefixes to detect virtual machines like VMware or VirtualBox and terminates execution if it suspects it’s being analyzed. These defensive layers make ChaosBot highly resistant to traditional malware detection tools.
The Expanding “Chaos” Threat Family
ChaosBot’s discovery coincides with a separate alert from Fortinet FortiGuard Labs, which detailed a C++ ransomware variant from the same threat ecosystem — dubbed Chaos-C++ — featuring destructive file deletion and clipboard hijacking for cryptocurrency theft.
Unlike typical ransomware that encrypts files, Chaos-C++ irrevocably deletes files larger than 1.3 GB and replaces Bitcoin wallet addresses on victims’ clipboards to redirect transactions to attacker-controlled wallets.
Both ChaosBot and Chaos-C++ highlight the evolution of the Chaos malware family — from simple extortion tools into multi-layered cyberweapons combining espionage, sabotage, and financial theft.
Fortinet’s researchers warn that the dual strategy of destructive encryption and covert financial manipulation signals a new era of ransomware threats designed to maximize monetary gain while ensuring operational damage.
A Growing Threat Landscape
Experts say the Chaos ecosystem exemplifies how cybercriminals are adapting to modern environments — weaponizing legitimate platforms like Discord, exploiting supply-chain software, and integrating multi-language codebases (Rust, C++) for resilience and flexibility.
Security professionals urge organizations to restrict the use of external collaboration platforms, enforce multi-factor authentication, and monitor network traffic for anomalous Discord or proxy connections.
As one researcher at eSentire put it, “ChaosBot’s design shows that malware is no longer about just encrypting data — it’s about persistence, invisibility, and complete control.”