Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Malware

ChaosBot

ChaosBot is a Rust-based Windows backdoor that uses Discord as its command-and-control channel. Public reporting states it was detected by eSentire in late September 2025 in a financial-services environment, with victim demographics skewing toward Vietnamese speakers and multiple reports noting targeting of financial services. The malware contains an embedded Discord bot token, guild ID, and channel ID, validates the token via the Discord API, creates a Discord channel named after the infected host, notifies operators in a general channel named 常规, and polls the victim-specific channel for commands. Reported supported commands include shell, scr, download, and upload: it executes PowerShell commands and returns output as a file, captures screenshots, downloads files to the host, and exfiltrates files through Discord. Depending on the variant, it uses Rust reqwest or serenity libraries for Discord communications.

Reported initial access vectors include use of valid credentials for both a Cisco VPN and an over-privileged Active Directory account named serviceaccount, with WMI used for lateral deployment, as well as phishing using a malicious Windows shortcut (.lnk) file. Opening the LNK launches hidden PowerShell to download and execute ChaosBot while displaying a decoy PDF impersonating the State Bank of Vietnam. Another reported execution method is DLL side-loading using a malicious msedge_elf.dll loaded by the legitimate Microsoft-signed identity_helper.exe, observed running from C:\Users\Public\Libraries.

Post-compromise, operators reportedly deployed FRP (Fast Reverse Proxy) for persistent tunneling, storing it as node.exe with node.ini in C:\Users\Public\Music, and using infrastructure at 18.162.110[.]113:7000, described as AWS Asia-Pacific (Hong Kong). They also reportedly attempted, but failed, to establish a Visual Studio Code Tunnel as a secondary backdoor. Newer variants were reported to patch ntdll!EtwEventWrite in memory with xor eax, eax; ret to suppress ETW telemetry and to evade analysis by checking MAC address prefixes associated with VMware and VirtualBox and exiting in virtualized environments. Additional reported operator-linked Discord accounts include chaos_00019 and lovebb0024. The use of the Chinese channel name 常规 and Vietnam-themed lures has been cited in reporting as suggesting Chinese-speaking operators targeting Vietnamese-speaking victims.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1078Valid AccountsEvidence1

The attackers already had valid credentials a login that worked for both the Cisco VPN and an over-privileged Active Directory account bluntly named serviceaccount.

T1566PhishingEvidence1

The second road was phishing. The victim received a Windows shortcut file (.lnk).

T1566.001Spearphishing AttachmentEvidence1

The victim received a Windows shortcut file (.lnk). Opening it ran a hidden PowerShell command that downloaded and launched ChaosBot, while politely opening a decoy PDF dressed up as correspondence from the State Bank of Vietnam.

Execution

2 techniques
T1047Windows Management InstrumentationEvidence1

With a real account in hand, they didn’t need to break in. They walked in, then used WMI to push commands across the network and deploy the malware to other machines.

T1059.001PowerShellEvidence1

Opening it ran a hidden PowerShell command that downloaded and launched ChaosBot... ChaosBot runs a shell command, it always wraps it the same way: powershell -Command "$OutputEncoding = [System.Text.Encoding]::UTF8; "

Persistence

1 technique
T1078Valid AccountsEvidence1

The attackers already had valid credentials a login that worked for both the Cisco VPN and an over-privileged Active Directory account bluntly named serviceaccount.

Privilege Escalation

1 technique
T1078Valid AccountsEvidence1

The attackers already had valid credentials a login that worked for both the Cisco VPN and an over-privileged Active Directory account bluntly named serviceaccount.

Stealth

2 techniques
T1078Valid AccountsEvidence1

The attackers already had valid credentials a login that worked for both the Cisco VPN and an over-privileged Active Directory account bluntly named serviceaccount.

T1497Virtualization/Sandbox EvasionEvidence1

The malware checks MAC-address prefixes for VMware and VirtualBox and exits if it sees them.

Discovery

2 techniques
T1083File and Directory DiscoveryEvidence1

The toolkit — reconnaissance, screenshots, quiet persistence, careful evasion — reads like access-focused intrusion: get in, look around, stay.

T1497Virtualization/Sandbox EvasionEvidence1

The malware checks MAC-address prefixes for VMware and VirtualBox and exits if it sees them.

Collection

1 technique
T1113Screen CaptureEvidence1

scr — take a screenshot of the victim’s desktop and upload it

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

A backdoor that talks to Discord doesn’t look like a backdoor... The malware carries an embedded configuration containing a Discord bot token, a guild (server) ID, and a channel ID.

T1071.001Web ProtocolsEvidence1

It runs over plain HTTPS to discord.com and cdn.discordapp.com... GET https://discord.com/api/v10/users/@me

T1090ProxyEvidence1

ChaosBot then ran reconnaissance and pulled down FRP (Fast Reverse Proxy) to punch a persistent tunnel into the network.

T1105Ingress Tool TransferEvidence1

ChaosBot then ran reconnaissance and pulled down FRP (Fast Reverse Proxy)... The supported commands are minimal and brutal: download — pull a new file onto the machine

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Whatever the machine produces (text, files, screenshots) gets uploaded right back into the channel as an attachment.

Other

1 technique
T1562Impair DefensesEvidence1

New variants patch ntdll!EtwEventWrite... to silence Event Tracing for Windows.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
uri●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

osint team blogNews
Jul 2, 2026
The Malware Crew Hiding Their Orders Inside a Discord Chat | by Pop123 | Jun, 2026 | OSINT Team

Rust-based backdoor that uses Discord channels as command-and-control. It creates a victim-specific Discord channel, executes shell commands via PowerShell, captures screenshots, uploads and downloads files, performs reconnaissance, and uses DLL side-loading plus FRP for persistence and network tunneling. It also includes anti-analysis behavior and can patch ETW telemetry.

Read more
osint team blogNews
Jun 26, 2026
The Spy Group Hiding Secret Commands Inside Ordinary GitHub Repos | by Pop123 | Jun, 2026 | OSINT Team

A Rust malware family reported as using Discord for command-and-control communications.

Read more
picus security blogNews
Oct 21, 2025
New Rust Malware "ChaosBot" Leverages Discord for Stealthy Command and Control

ChaosBot is a Rust-based backdoor and botnet malware that leverages Discord as its Command and Control (C2) channel. It provides attackers with an interactive shell, file upload/download, and screenshot capabilities, all managed via Discord channels. It employs advanced evasion techniques, including ETW patching and anti-VM checks, and is deployed via credential compromise, DLL side-loading, and phishing with malicious LNK files. Post-compromise, it establishes persistence using tools like Fast Reverse Proxy (frp) and attempts to leverage legitimate cloud services for further access.

Read more
securityaffairsNews
Oct 19, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 67

ChaosBot is a new malware written in Rust that uses Discord as its command and control channel, enabling remote control and data exfiltration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.