Threat researchers at eSentire have identified a new backdoor dubbed ChaosBot, written in Rust and using Discord as command-and-control (C2). First observed in late September 2025 within a financial-sector environment, the malware enables host reconnaissance, arbitrary command execution, and persistence while blending into legitimate network traffic, complicating detection.
Initial Access: LNK Phishing and Abused Credentials Enable Rapid Intrusion
According to eSentire, the operators combined stolen credentials applicable to both a Cisco VPN login and a privileged Active Directory service account with WMI-based remote execution for lateral movement. In parallel, users received LNK attachments via phishing emails. Opening the shortcut triggered a PowerShell one-liner that retrieved and executed the payload, while a decoy PDF themed as correspondence from the State Bank of Vietnam masked malicious activity.
DLL Sideloading via Edge Components to Reduce Telemetry
eSentire observed a DLL payload named msedge_elf.dll being sideloaded by the legitimate Microsoft Edge binary identity_helper.exe. This living-off-the-land approach minimizes anomalous process and module telemetry and increases the chance of evading signature-based engines. Post-deployment, ChaosBot performs system inventory and drops a fast reverse proxy (FRP) component to establish a resilient outbound tunnel for remote access.
Discord as C2: Per-Host Channels and Remote Tasking
The campaign’s defining trait is its Discord-based C2 workflow. For each compromised host, the operators create a dedicated channel named after the computer, then issue tasks directly through Discord. Activity was linked to accounts chaos_00019 and lovebb0024. Observed capabilities include host profiling, command execution, and control of auxiliary components like FRP to broaden network footholds.
Evasion Techniques: ETW Impairment and Virtualization Checks
New ChaosBot builds attempt to degrade security visibility and evade dynamic analysis. The malware patches ntdll!EtwEventWrite—short-circuiting the function to suppress Event Tracing for Windows (ETW) telemetry—hindering certain EDR detections. It also inspects MAC address prefixes associated with VMware and VirtualBox, exiting when virtualization is suspected to avoid sandboxing. These behaviors align with MITRE ATT&CK techniques T1562.001 Impair Defenses and T1497 Virtualization/Sandbox Evasion.
Alternate Access: Attempted Abuse of VS Code Tunnel
Beyond Discord and FRP, the attackers attempted to configure Visual Studio Code Tunnel as an auxiliary backdoor for remote command execution. While the effort reportedly failed, the choice underscores an ongoing trend: co-opting legitimate developer services to proxy access and blend malicious traffic into business workflows.
Risk Assessment: Rust, Web Services, and Lateral Movement Increase Impact
Rust-based malware can frustrate static analysis and reduce signature effectiveness due to compiler artifacts and binary complexity. Using consumer and developer platforms (Discord, VS Code Tunnel) helps camouflage C2 flows as legitimate web traffic (ATT&CK T1071.001 Web Protocols). Combined with WMI-driven lateral movement (ATT&CK T1047), DLL sideloading (ATT&CK T1574.002), and reverse proxies (ATT&CK T1090), ChaosBot presents meaningful operational risk—especially where privileged service accounts exist and VPN access lacks strong verification.
Defensive Recommendations: Hardening Identity, Email, Hosts, and Egress
Identity and access: Enforce MFA for VPN and privileged accounts; rotate and minimize service account entitlements; monitor for anomalous authentication patterns.
Email and user execution controls: Quarantine or block LNK attachments from external senders; deliver risky attachments in hardened containers; reinforce user education on shortcut-lure tradecraft (ATT&CK T1566.001, T1204).
Endpoint hardening: Enable Microsoft Defender ASR rules; constrain PowerShell with Constrained Language Mode and full Script Block logging; alert on suspicious Edge process injections and unexpected DLL loads (e.g., msedge_elf.dll via identity helper).
Visibility and egress: Inspect or restrict Discord API/webhook traffic per policy; baseline and detect anomalies in web-service C2; monitor for ETW tampering and ntdll patching; block or strictly control FRP and implement policy for VS Code Tunnel usage in corporate environments.
ChaosBot highlights how LNK phishing, credential abuse, Discord-based C2, and stealth techniques can quickly establish durable access while minimizing artifacts. Enterprises should re-evaluate attachment controls, tighten policies on consumer and developer platforms, and intensify threat hunting around PowerShell, WMI, DLL sideloading, and covert reverse proxies. Keeping detection content aligned with MITRE ATT&CK and monitoring vendor intelligence (e.g., eSentire) will help defenders track evolving TTPs and respond faster to similar campaigns.
