Chaos Ransomware Evolves to C++, Uses Destructive Extortion to Delete Large Files and Hijack Bitcoin Clipboard
Do Son 
Chaos-C++ ransom note
FortiGuard Labs has identified a new, highly destructive variant of the Chaos ransomware, marking a major shift in its evolution — both in language and tactics. Dubbed Chaos-C++, this strain represents the first version of Chaos written outside the .NET framework, introducing a blend of data encryption, file destruction, and cryptocurrency theft.
As FortiGuard researchers explain, “In 2025, Chaos ransomware resurfaced with a C++ variant. We believe this marks the first time it was not written in .NET. Beyond encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft.”
The attack begins with a deceptive downloader disguised as a utility called “System Optimizer v2.1.” This fake program executes convincingly, printing benign optimization messages while secretly deploying the ransomware payload in the background.
FortiGuard Labs describes, “The Chaos-C++ ransomware downloader masquerades as a fake utility, System Optimizer v2.1. It opens a console with bogus optimization messages to build credibility while silently deploying its ransomware payload in the background.”
The payload — saved under a temporary filename like %TMP%\\svc[XXXX].tmp — is executed stealthily using CreateProcessA() with the CREATE_NO_WINDOW flag. If that fails, Chaos falls back to running via cmd.exe, ensuring that execution remains hidden from the user.
During installation, Chaos logs activity to a file named sysopt.log in the %TMP% directory, establishing a consistent forensic footprint across infected systems.
Before encryption begins, Chaos-C++ checks for administrative privileges by attempting to create a file at C:\WINDOWS\test.tmp. If successful, it indicates elevated rights — allowing it to execute a series of system-destructive commands designed to eliminate recovery options.
Among these commands are:
FortiGuard confirms that “these operations are widely observed across different variants of Chaos families”, highlighting a consistent pattern of anti-recovery and persistence tactics.
Once initialized, Chaos-C++ identifies and processes files based on size thresholds to balance speed and impact. According to FortiGuard, it “begins enumerating target files starting with user directories such as Desktop, Documents, and Downloads, before expanding to other available drives.”
The ransomware applies a three-tiered approach:
- ≤ 50 MB: Files are fully encrypted.
- 50 MB – 1.3 GB: Files are skipped to optimize performance.
- > 1.3 GB: File content is deleted entirely — a rare and destructive tactic that permanently erases data.
As FortiGuard Labs notes, “Deleting file content is a rare move among ransomware families, as it eliminates any possibility of recovering files.”
This strategy ensures that Chaos can complete attacks faster, even across systems with large storage volumes, while still causing maximum psychological pressure on victims.
Chaos-C++ demonstrates resilience in its encryption design. If Windows CryptoAPI is available, it performs AES-256-CFB encryption, deriving the key from a random string hashed via SHA-256.
The ransomware executes a sequence of cryptographic API calls — CryptAcquireContextA, CryptCreateHash, CryptHashData, and CryptDeriveKey — to generate the encryption key, before encrypting file contents in place.
FortiGuard explains, “If the CryptoAPI functions are unavailable, Chaos switches to a fallback encryption method using XOR, a significantly weaker algorithm.”
This fallback mechanism guarantees operational continuity, even on restricted systems lacking full cryptographic libraries. After encryption, Chaos overwrites the original file, appending the .chaos extension and leaving only an irretrievably encrypted version behind.
Perhaps the most notable innovation in Chaos-C++ is its clipboard hijacking functionality — a stealthy addition targeting cryptocurrency users.
The ransomware continuously monitors the clipboard for text strings matching Bitcoin address formats (26–64 characters beginning with 1, 3, or bc1). When detected, it replaces them with an attacker-controlled wallet address.
According to FortiGuard, “Once a valid address is identified, Chaos-C++ replaces it with a hardcoded attacker-controlled Bech32 Bitcoin wallet. This ensures that any attempted Bitcoin payment is silently redirected to the attacker.”
This means that even users attempting legitimate cryptocurrency transactions — for ransom payment or unrelated purposes — risk unknowingly sending funds directly to the attackers.
FortiGuard’s comparative analysis of Chaos variants reveals an escalating trend in destructive efficiency.
Earlier versions such as Chaos_2021 and BlackSnake (both written in .NET) used full encryption across all file sizes. The Lucky_Gh0$t variant, identified in early 2025, began introducing selective data destruction — replacing contents of files larger than 1.3 GB with identical bytes.
By contrast, Chaos-C++_type3, the variant analyzed in this report, combines encryption, skipping, and outright deletion to maximize both impact and speed.
Related Posts:
- Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion
- Unlocking Real-Time Translation: Microsoft Edge’s AI Breakthrough
- Hackers launched SSH brute-force attacks on Linux systems to deploy Chaos backdoors
- Cybercriminals Seize Chaos Amidst CrowdStrike Outage, Deploying Deceptive Domains
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
