In late September 2025, eSentire’s Threat Response Unit (TRU) found something new and dangerous. A Rust-based backdoor inside a financial services client’s network. They called it ChaosBot.
ChaosBot uses Discord (the same chat service gamers and teenagers use every day) as its command center. A malefactor calling himself “chaos_00019” controlled it, sending instructions to infected machines through Discord’s normal channels.
The malware didn’t target everyone. Its operators seemed to focus on Vietnamese speakers. Not exclusively, but often enough to notice.
The Break-In
The attack began with stolen credentials. One belonged to a VPN user, another to an over-privileged Active Directory service account. With those, the bad actors moved quietly through the network using WMI, deploying ChaosBot system by system.
They hid the payload (msedge_elf.dll) inside a legitimate Microsoft Edge component. Once running, ChaosBot mapped the system, fetched a fast reverse proxy (FRP), and opened a tunnel back out.
Then came the experiments. The malicious actors downloaded Visual Studio Code and tried to install a “code tunnel” service, perhaps searching for another way in. The command failed, but it showed intent: persistence through creativity.
Another Door In
Elsewhere, ChaosBot spread through phishing lures. According to researcher Szabolcs Schmidt, malicious Windows shortcuts were used to trigger PowerShell commands. Victims would see an innocuous PDF (a fake notice from the State Bank of Vietnam) while ChaosBot installed quietly in the background.
One click. One false document. One new backdoor.
Inside ChaosBot
ChaosBot is written in Rust, built with either the reqwest or serenity library to talk to Discord. Each sample carried its own bot token, server ID, and communication channel. When a new device was infected, the malware verified its token, created a Discord channel named after the victim’s computer, and sent a message announcing its success.
The messages appeared in a channel labeled Chinese for “general.” A sign that the operators may use a localized Discord client.
From there, commands flowed in. “Shell systeminfo.” “Ipconfig /all.” “Scr.” The malware fetched system details, screenshots, or files, then sent them back through Discord as simple attachments. Nothing exotic, just steady, deliberate theft.
Built to Evade
Newer versions of ChaosBot became even more intelligent. They patched Windows’ Event Tracing (ETW), blinding endpoint protection tools to their presence. They also checked MAC addresses, quitting quietly if they picked up any virtual machines, a classic sandbox evasion move.
Once inside a real network, they downloaded FRP tools, renamed them node.exe, and configured them to maintain persistent access through encrypted SOCKS5 tunnels hosted on AWS infrastructure in Hong Kong.
The People Behind It
Analysis of a dozen samples revealed two Discord accounts driving operations:
- chaos_00019, created June 2024
- lovebb0024, created May 2024
Strings in the code suggest the developer’s local machine name, ROSE0376, a small but telling detail in a mountain of obfuscation.
Lessons from ChaosBot
While ChaosBot might be new, bu its success depends on a host of familiar mistakes, like weak credentials, excessive privileges, and unpatched systems.
Organizations should:
- Enforce strong passwords and mandatory MFA
- Limit VPN account privileges
- Revoke unused credentials promptly
- Keep patches current
- Monitor authentication logs for anomalies
- Use EDR or NGAV tools to catch intrusions early
And for those who can, partner with a 24/7 Managed Detection and Response (MDR) service.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.