Infosec specialists at eSentire have discovered a new ChaosBot backdoor written in Rust that allows its operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. The malware is notable for using Discord as its command-and-control server.
Researchers first spotted the malware in late September 2025, within the infrastructure of their client in the financial sector.
“The attackers used stolen credentials that worked for both the Cisco VPN and a privileged Active Directory account named serviceaccount,” the researchers report. “Using the compromised account, they leveraged WMI to execute remote commands on systems across the network, which facilitated the deployment and launch of ChaosBot.”
ChaosBot got its name thanks to a Discord profile belonging to a threat actor using the handle chaos_00019 — this is the account that sends remote commands to infected devices. Another Discord account associated with the malware is lovebb0024.
The malware spreads through phishing messages containing a malicious Windows shortcut (LNK file). If the recipient opens such an LNK file, a PowerShell command is executed to download and launch ChaosBot, and to distract the victim a fake PDF is displayed, masquerading as a legitimate letter from the State Bank of Vietnam.
The payload is a malicious DLL (msedge_elf.dll) that is loaded via the Microsoft Edge executable (identity_helper.exe). The malware then performs system reconnaissance and downloads the Fast Reverse Proxy (FRP) to expose a reverse proxy to the network and maintain persistent access to the compromised machine.
It was also observed that the attackers attempted to use the malware to set up Visual Studio Code Tunnel as an additional backdoor with command execution capabilities, but were unsuccessful.
The main function of the malware is to interact with a Discord channel named after the victim’s computer, which is used to receive further instructions. Some of the commands supported by ChaosBot include:
- shell — executing shell commands via PowerShell;
- scr — capturing screenshots;
- download — downloading files to the victim’s device;
- upload — uploading files to the Discord channel.
“New variants of ChaosBot use evasion techniques to bypass ETW [Event Tracing for Windows] and virtual machines,” eSentire notes. “The first technique patches the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret). The second technique checks the system’s MAC addresses against known MAC address prefixes for VMware and VirtualBox virtual machines. If a match is found, the malware terminates.”