Stay updated with the latest Cybersecurity News on our TecnetBlog.

ChaosBot Malware Uses Discord to Steal and Destroy Files

Written by Scarlet Mendoza | Oct 14, 2025 1:15:00 PM

A new malware is alarming cybersecurity experts: ChaosBot, a backdoor written in Rust that uses Discord as its commandandcontrol (C2) channel. Alongside it, an even more dangerous evolution of the Chaos ransomware, now featuring filedestruction and clipboard hijacking, has emerged.

According to reports from eSentire and Fortinet, these threats reveal a growing ecosystem that blends credential theft, social engineering, reverse tunneling, and advanced evasion techniques.

At TecnetOne, we explain how this attack works, why it’s especially dangerous, and how you can defend your organization.

 

What Is ChaosBot and How It Spreads

 

ChaosBot is a Rustbased backdoor first detected in September 2025 within a financial services firm.

It allows attackers to execute remote commands, steal files, and maintain persistent access to compromised systems.

Initial access typically comes through stolen or misconfigured credentials. In one observed case, the attackers used an overprivileged Active Directory account and compromised VPN credentials, deploying the malware via WMI (Windows Management Instrumentation).

Other variants spread through phishing emails with malicious .LNK shortcuts that launch PowerShell commands, downloading the payload from external servers while showing a decoy PDF, such as a fake “State Bank of Vietnam” notice.

 

How ChaosBot Operates

 

ChaosBot is technically sophisticated and blends seamlessly with legitimate Windows processes.

Key capabilities include:

 

  1. Rustbased persistence: Loads its main payload (msedge_elf.dll) via DLL sideloading, exploiting a legitimate Microsoft Edge binary (identity_helper.exe).

  2. Discordbased C2: Operators create Discord accounts and channels mimicking victims’ names to send commands, exfiltrate data, and manage files—making traffic appear legitimate.

  3. Reverse proxy tunneling: Downloads FRP (Fast Reverse Proxy) to maintain constant access, and sometimes abuses VS Code Tunnel as an alternative backdoor.

  4. Core functions: Executes PowerShell commands, captures screenshots, uploads/downloads files, and communicates with C2 in real time.

  5. Evasion: Disables Event Tracing for Windows (ETW) in ntdll!EtwEventWrite and checks for virtual environments like VMware or VirtualBox to avoid sandbox analysis.

 

In essence, ChaosBot is a remoteaccess espionage tool disguised as legitimate software—capable of lateral movement and stealthy data exfiltration.

 

Read more: APT36 Hackers Use .desktop Files on Linux to Spread Malware

 

ChaosC++ Ransomware: The Second Phase

 

While ChaosBot serves as the reconnaissance and access tool, the ChaosC++ ransomware delivers the destructive blow.

According to Fortinet FortiGuard Labs, this upgraded variant merges encryption, file deletion, and clipboard hijacking to maximize damage.

Most destructive features:

 

  1. Permanent file deletion: Files larger than 1.3 GB are deleted instead of encrypted—making recovery impossible.

  2. Clipboard hijacking: Monitors and replaces cryptocurrency addresses with the attacker’s wallet.

  3. Adaptive execution: If %APPDATA%\READ_IT.txt exists, it enters surveillance mode; otherwise, it disables recovery options and encrypts files under 50 MB.

  4. Hybrid encryption: Uses combined symmetric/asymmetric methods with XOR to corrupt files even if encryption fails.

 

This evolution shows that Chaos‑C++ aims not only to extort but to cause irreversible loss, amplifying pressure on victims.

 

How Victims Are Targeted

 

ChaosBot and Chaos‑C++ primarily target corporate networks with exposed services—VPNs, RDP, or admin accounts—and organizations lacking network segmentation.

Their use of Discord for C2 makes detection difficult since the traffic runs through a legitimate platform.

Techniques like DLL sideloading and malicious LNK phishing remain highly effective, especially against untrained users.

 

Attack Chain diagram  (Source: esentire.com)

 

The Risks for Businesses

 

These campaigns can devastate victims within hours, leading to:

 

  1. Total data loss with no recovery options

  2. Extended operational downtime

  3. Theft of sensitive data—credentials, financials, IP

  4. Severe reputational and legal consequences

 

The combination of espionage (ChaosBot) and destruction (ChaosC++) forms a hybrid attack that merges ransomware, trojans, and advanced persistence.

 

Similar titles: How and where do hackers hide their malware code?

 

How to Defend Against the Chaos Ecosystem

 

At TecnetOne, we recommend a defenseindepth approach combining access control, technical safeguards, and employee awareness.

 

Credentials and Access

 

  1. Immediately change VPN and service account passwords.

 

  1. Enforce multifactor authentication (MFA) on all remote logins.

 

  1. Apply leastprivilege and JIT/JEA (JustInTime / JustEnoughAdmin) principles.

 

Endpoints and Monitoring

 

  1. Flag unusual DLLs or processes such as identity_helper.exe loading nonstandard libraries.

 

  1. Track PowerShell commands run from shortcuts or temp folders.

 

  1. Detect modified calls to ntdll!EtwEventWrite.

 

  1. Monitor outbound connections to Discord or FRP tunnels.

 

Network Controls

 

  1. Block or inspect Discord connections in corporate environments.

 

  1. Restrict reverseproxy tools and inspect TLS traffic for anomalies.

 

  1. Enforce strict egress filtering to prevent data exfiltration.

 

Email Security and Awareness

 

  1. Block .LNK attachments or convert them to safe previews.

 

  1. Train staff to recognize phishing and fake PDFs.

 

Backups

 

  1. Maintain immutable, offline (airgapped) backups.

 

  1. Test restoration regularly.

 

  1. Limit backupsystem permissions to prevent deletion.

 

Early Detection and Response

 

Early detection is crucial. Look for:

 

  1. Unusual Discord API activity

 

  1. Unknown files like msedge_elf.dll or identity_helper.exe

 

  1. New persistent services or tunnels (FRP, VS Code Tunnel)

 

  1. Creation of %APPDATA%\READ_IT.txt

 

If any indicators appear, isolate affected devices, perform forensic analysis, and review remoteaccess logs (WMI, RDP, VPN).

 

Conclusion

 

ChaosBot and ChaosC++ represent a new generation of modular malware—intelligent, destructive, and engineered to evade detection.

Their abuse of legitimate channels like Discord and their advanced persistence mechanisms make them formidable threats.

The best defense is anticipation: reinforce identity controls, monitor networks in real time, and educate your teams on early detection.

At TecnetOne, we help organizations prevent, detect, and respond to complex threats like ChaosBot through adaptive, intelligence‑driven cybersecurity.

Because today, cybersecurity isn’t just about protecting systems—it’s about protecting business continuity.

 
View full post