Cybersecurity firms have uncovered a sophisticated backdoor dubbed ChaosBot, written in the Rust programming language, that uses the chat-and-voice platform Discord for command-and-control traffic, marking a distinct shift in how threat actors are orchestrating cyber-intrusions. The campaign appears to have begun in a financial-services environment, with attackers leveraging compromised credentials and advanced evasion methods to sidestep detection.

According to reports from the vendor eSentire, the incident first emerged in late September 2025 when an over-privileged Active Directory account named“serviceaccount”, combined with valid credentials for a CiscoVPN instance, were used to gain a foothold within a corporate network. The malicious payload-msedgeelf. dll-was sideloaded through the Microsoft Edge helper binary identityhelper. exe from the Public user profile directory, enabling execution under a trusted application context.

Once the backdoor is resident on the endpoint, ChaosBot engages with the Discord API using hard-coded bot tokens. It then creates a new Discord channel named after the compromised host and instructs the operator via the attacker-controlled server. Commands such as“shell”,“scr”,“download” and“upload” are supported-allowing file transfers and arbitrary command execution across infected machines.

The threat actors appear to have targeted Vietnamese-language environments primarily, though the campaign is not restricted to one geography. Researchers also observed parallel activity by the related malware family Chaos‐C++-a C++-based destructive tool capable of deleting large files and hijacking clipboards to steal cryptocurrency wallet addresses.

Key to ChaosBot's stealth is the use of legitimate-looking infrastructure. The DLL sideloading technique ensures deployment under a trusted binary, while the use of Discord allows C2 traffic to blend with normal network flows, significantly complicating detection by traditional security tools. The malware also includes evasion mechanisms: it patches the ntdll!EtwEventWrite function to disable Event Tracing for Windows, and checks MAC-address prefixes to detect virtualised environments before proceeding, exiting silently if a VM is found.

Access vectors include phishing emails containing malicious Windows shortcut files. When executed by a user, the. LNK file launches a PowerShell command that fetches and executes the malware while concurrently opening a decoy PDF impersonating correspondence from the State Bank of Vietnam-designed to distract the victim during the malicious download.

Once the system is compromised, the attackers use the WMI mechanism for remote code execution and lateral movement across the network, allowing the spread of ChaosBot without requiring interactive user logins. Following reconnaissance, the threat actors deploy Fast Reverse Proxy tools to establish encrypted tunnels-sometimes using AWS Hong Kong IP addresses-to maintain connectivity into the victim's environment.

The use of Discord for command and control poses a new challenge for enterprises. Unlike classic C2 channels which may rely on bespoke domains or IP addresses that can be blocked or flagged, Discord traffic is inherently trusted in many corporate networks. Analysts note that blocking or sanctioning Discord can disrupt legitimate business functions, making it a difficult vector to neutralise.

What this campaign highlights is a broader trend of threat actors“living off the land” by abusing legitimate protocols and platforms, and shifting towards more sophisticated evasion and persistence methods. Security teams are advised to monitor for anomalous Discord bot activity, audit over-privileged service accounts, enforce multi-factor authentication on VPNs and AD logins, and scrutinise DLL loads by signed binaries. The integration of telemetry to detect patched ETW behaviour and unexpected outbound tunnels such as those using FRP is now increasingly critical.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN23102025000152002308ID1110238512