EXECUTIVE SUMMARY:
ChaosBot is a newly observed Rust-based backdoor that leverages legitimate Discord services for command-and-control, allowing operators to blend C2 traffic with normal network activity. Initial access has been achieved via compromised remote-access credentials and via phishing lures that deploy a malicious Windows shortcut (LNK) which runs a PowerShell downloader while opening a decoy PDF. Analysis of infected environments shows the malware is used to perform reconnaissance and enable persistent remote access.
ChaosBot is implemented in Rust and variants use either the reqwest or serenity libraries to interact with the Discord API. Samples contain an embedded Discord bot token, a guild ID, and a channel ID. The malware validates the bot token with a GET side loaded via a legitimate Microsoft Edge component from a public user profile path and executed as msedge_elf.dll. After establishing foothold and performing reconnaissance, the operators downloaded and executed a fast reverse proxy (frp) to create an external reverse proxy into the environment, and they also experimented with establishing a Visual Studio Code tunnel as an alternative backdoor. Lateral movement and remote execution activity included use of compromised VPN credentials, an over-privileged Active Directory account and WMI-based remote execution. The actors delivered some infections via a malicious LNK file that runs a PowerShell command to drop and execute ChaosBot while opening a benign-looking PDF as a decoy.
Organizations should treat this family as a medium to high operational risk and prioritize containment and detection controls that address its access and persistence techniques: remove excessive privileges from remote access accounts, enforce MFA and strong password hygiene, block or closely monitor anomalous uses of WMI and unexpected DLL side loading paths, and log and alert on suspicious Discord API usage from internal hosts. At minimum, deploy EDR and NGAV with memory and network detection, hunt for the provided and isolate affected hosts immediately if ChaosBot activity is suspected.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1574.002 | Hijack Execution Flow | DLL |
| Command and Control | T1102.002 | Web Service | Bidirectional Communication |
| T1090.002 | Proxy | External Proxy | |
| T1219.001 | Remote Access Tools | IDE Tunneling |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Collection | E1113 | Screen Capture |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0001 | Software Packing |
| Execution | B0011 | Remote Commands |
REFERENCES:
The following reports contain further technical details: