A new backdoor called ChaosBot has been discovered that allows operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. Researchers at eSentire found that the malware uses a Discord channel to receive instructions, while also being distributed through phishing messages with malicious LNK files.
ChaosBot is noteworthy for its abuse of Discord as a command-and-control (C2) vector, allowing it to interact with an operator-created Discord channel with the victim’s computer name. The malware has also been observed using Windows Management Instrumentation (WMI) to execute remote commands across systems in the network.
Researchers discovered that ChaosBot can sideload a malicious DLL and perform system reconnaissance before downloading a reverse proxy to maintain persistent access to the compromised network. However, eSentire warns of new variants that use evasion techniques to bypass security tools.
Meanwhile, Fortinet has detailed a new ransomware variant of Chaos written in C++, introducing destructive capabilities to irrevocably delete large files rather than encrypting them and manipulate clipboard content by swapping Bitcoin addresses with an attacker-controlled wallet.
Source: https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html