ChaosBot
ChaosBot is a Rust-based Windows backdoor that uses Discord as its command-and-control channel. Public reporting states it was detected by eSentire in late September 2025 in a financial-services environment, with victim demographics skewing toward Vietnamese speakers and multiple reports noting targeting of financial services. The malware contains an embedded Discord bot token, guild ID, and channel ID, validates the token via the Discord API, creates a Discord channel named after the infected host, notifies operators in a general channel named 常规, and polls the victim-specific channel for commands. Reported supported commands include shell, scr, download, and upload: it executes PowerShell commands and returns output as a file, captures screenshots, downloads files to the host, and exfiltrates files through Discord. Depending on the variant, it uses Rust reqwest or serenity libraries for Discord communications.
Reported initial access vectors include use of valid credentials for both a Cisco VPN and an over-privileged Active Directory account named serviceaccount, with WMI used for lateral deployment, as well as phishing using a malicious Windows shortcut (.lnk) file. Opening the LNK launches hidden PowerShell to download and execute ChaosBot while displaying a decoy PDF impersonating the State Bank of Vietnam. Another reported execution method is DLL side-loading using a malicious msedge_elf.dll loaded by the legitimate Microsoft-signed identity_helper.exe, observed running from C:\Users\Public\Libraries.
Post-compromise, operators reportedly deployed FRP (Fast Reverse Proxy) for persistent tunneling, storing it as node.exe with node.ini in C:\Users\Public\Music, and using infrastructure at 18.162.110[.]113:7000, described as AWS Asia-Pacific (Hong Kong). They also reportedly attempted, but failed, to establish a Visual Studio Code Tunnel as a secondary backdoor. Newer variants were reported to patch ntdll!EtwEventWrite in memory with xor eax, eax; ret to suppress ETW telemetry and to evade analysis by checking MAC address prefixes associated with VMware and VirtualBox and exiting in virtualized environments. Additional reported operator-linked Discord accounts include chaos_00019 and lovebb0024. The use of the Chinese channel name 常规 and Vietnam-themed lures has been cited in reporting as suggesting Chinese-speaking operators targeting Vietnamese-speaking victims.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Discovery
2 techniques
Discovery
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
A backdoor that talks to Discord doesn’t look like a backdoor... The malware carries an embedded configuration containing a Discord bot token, a guild (server) ID, and a channel ID.
It runs over plain HTTPS to discord.com and cdn.discordapp.com... GET https://discord.com/api/v10/users/@me
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rust-based backdoor that uses Discord channels as command-and-control. It creates a victim-specific Discord channel, executes shell commands via PowerShell, captures screenshots, uploads and downloads files, performs reconnaissance, and uses DLL side-loading plus FRP for persistence and network tunneling. It also includes anti-analysis behavior and can patch ETW telemetry.
A Rust malware family reported as using Discord for command-and-control communications.
ChaosBot is a Rust-based backdoor and botnet malware that leverages Discord as its Command and Control (C2) channel. It provides attackers with an interactive shell, file upload/download, and screenshot capabilities, all managed via Discord channels. It employs advanced evasion techniques, including ETW patching and anti-VM checks, and is deployed via credential compromise, DLL side-loading, and phishing with malicious LNK files. Post-compromise, it establishes persistence using tools like Fast Reverse Proxy (frp) and attempts to leverage legitimate cloud services for further access.
ChaosBot is a new malware written in Rust that uses Discord as its command and control channel, enabling remote control and data exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.