A sophisticated, Rust-based malware dubbed ChaosBot has been exposed utilizing the Discord platform for its Command and Control (C2) operations.
This isn’t your average botnet; it’s a new generation of threat that hides its malicious traffic by communicating over the popular, legitimate service, making detection significantly more challenging for traditional security tools.
ChaosBot operates by validating its credentials with the Discord API, then creating a private text channel named after its victim’s computer.
This channel serves as an interactive, covert shell where attackers send commands such as shell, download, and scr (screenshot) directly into the channel, with the victim machine sending results back as attached files.
Further compounding the danger, the malware uses advanced anti-analysis techniques like patching the Windows Event Tracing for Windows (ETW) function and checking for Virtual Machine MAC addresses to stay off the radar of security researchers.
Dual Attack Vectors
The initial intrusion was facilitated by compromised credentials for both CiscoVPN and an over-privileged Active Directory account named “serviceaccount.”
The attackers leveraged this access to deploy and execute ChaosBot using Windows Management Instrumentation (WMI) for remote command execution across the network.
The ChaosBot payload, disguised as msedge_elf.dll, was executed via DLL side-loading against the legitimate Microsoft Edge component identity_helper.exe from the C:\Users\Public\Libraries directory.
In an alternative and equally insidious method, ChaosBot operators employ phishing campaigns that use malicious Windows Shortcut (.lnk) files designed to appear as legitimate correspondence from the State Bank of Vietnam.
The shortcut executes a PowerShell command that downloads and executes the ChaosBot malware while simultaneously downloading and opening an innocuous PDF document to mislead the victim, providing a deceptive cover for the infection.
The decoy PDF mimics a highly official communication from Vietnam’s central bank, complete with reference numbers and formal regulatory language about new compliance requirements for financial institutions. This social engineering tactic exploits the authority and credibility of government institutions to lower victim suspicion during the critical infection phase.
Invisible Command Channel
ChaosBot is written in the Rust programming language, leveraging either the reqwest or serenity library for API interactions.
The malware is configured with a Discord bot token, Guild (server) ID, and Channel ID, enabling seamless integration with the platform’s legitimate infrastructure.
The malware first validates its bot token with a simple GET request to the Discord API, then creates a new, dedicated channel within the threat actor’s Discord server, naming it after the victim’s computer name.
The malware then sends an initial message to the general channel, notifying the operators of the new compromise. Intriguingly, the general channel across all known affiliated servers is named “常规” (meaning “regular” or “general” in Chinese), which may suggest the operators are using a Chinese version of Discord or have Chinese-speaking members.
ChaosBot operates via a continuous loop, checking for new messages (commands) in the victim’s dedicated Discord channel.
The primary command for lateral movement and reconnaissance is shell, which executes commands via PowerShell with forced UTF8 encoding for output.
After command execution, results—whether stdout/stderr from a shell command, a screenshot, or a file—are exfiltrated back to the channel as an attachment using the multipart/form-data format, giving the attacker a seamless, interactive shell experience via Discord.
Advanced Evasion Techniques
ChaosBot employed sophisticated techniques to evade detection and analysis. New variants patch the first few instructions of ntdll!EtwEventWrite in memory by replacing the initial instructions with xor eax, eax followed by ret.
This successfully disables ETW telemetry for the process, hindering Endpoint Detection and Response (EDR) and sandbox visibility—a critical blind spot that allows the malware to operate undetected by many modern security solutions.
The malware also checks the system’s MAC addresses against known prefixes for Virtual Machines like VMWare (00:0C:29, 00:50:56, 00:05:69) and VirtualBox (08:00:27). If a match is found, the malware halts execution to evade analysis in sandboxed environments, demonstrating the operators’ awareness of security research methodologies and their determination to avoid detection.
Following initial compromise, the threat actors immediately focused on establishing persistent access by deploying the legitimate fast reverse proxy (frp) tool, saving the executable as node.exe with configuration pointing to an Amazon Web Services (AWS) IP in the Asia Pacific (Hong Kong) region.
Attackers also attempted to set up an additional backdoor using the legitimate Visual Studio Code Tunnel service, revealing an active effort to experiment with and leverage trusted cloud service features for command execution capabilities.
Organizations must implement Multi-Factor Authentication (MFA) for all external access points and privileged accounts, actively monitor for unusual HTTP/S traffic to Discord API endpoints, and enforce application whitelisting to prevent unauthorized payload execution from suspicious locations like Public user profile directories.
Regular phishing awareness training and EDR solutions configured to detect memory-patching techniques are essential to defend against this emerging threat that weaponizes legitimate platforms for malicious purposes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
