Ddos 
Attack Chain diagram | Image: TRU
The eSentire Threat Response Unit (TRU) identified a new Rust-based backdoor—dubbed ChaosBot—deployed inside a financial services organization’s environment. What makes this malware particularly concerning is its abuse of legitimate Discord services as a full-fledged Command-and-Control (C2) infrastructure, blending social platforms with covert cyber-operations.
The name ChaosBot originates from the Discord handle “chaos_00019”, the profile of one of the two operators controlling the malware through Discord bots.
According to eSentire, the malware’s behavior suggests a regional targeting preference toward Vietnamese-speaking victims, though attacks have also been observed elsewhere.
ChaosBot’s operators used compromised credentials—including a CiscoVPN login and an over-privileged Active Directory account (‘serviceaccount’)—to remotely deploy the malware through Windows Management Instrumentation (WMI).
“Threat actors leveraged compromised credentials that mapped to both CiscoVPN and an over-privileged Active Directory account named ‘serviceaccount.’ Using the compromised account, they leveraged WMI to execute remote commands… facilitating the deployment and execution of ChaosBot.”
The malware payload, msedge_elf.dll, was stealthily side-loaded via Microsoft Edge’s legitimate binary identity_helper.exe, hiding in the Public user profile directory:
Once executed, ChaosBot began conducting system reconnaissance and installed Fast Reverse Proxy (frp) to establish persistent communication with the attacker’s remote server.
“The ChaosBot payload (msedge_elf.dll) was side loaded via the legitimate Microsoft Edge component identity_helper.exe… ChaosBot was then used to perform system reconnaissance and download fast reverse proxy (frp) to establish a reverse proxy into the network.”
ESentire also observed the attackers experimenting with Visual Studio Code’s Tunnel feature to create an additional command-execution backdoor.
Beyond direct network exploitation, ChaosBot is also distributed via phishing campaigns using malicious Windows Shortcut (.LNK) files. These lures execute PowerShell scripts that silently download and run ChaosBot while distracting victims by opening a decoy PDF—a fake letter from the State Bank of Vietnam.
ChaosBot’s most innovative—and dangerous—feature is its use of the Discord API as a full C2 channel. The malware connects to Discord using hardcoded bot tokens, then creates new Discord channels named after infected computer hosts. These channels serve as live command terminals where threat actors send and receive instructions.
Each compromised host appears in Discord’s interface as a newly created channel. From there, operators can execute PowerShell commands, download or upload files, and even capture screenshots.
“After creating the new channel, the malware sends a message to the threat actors’ general channel notifying them of the newly compromised computer name… This channel is also where threat actors send commands to be executed by the victim computer.”
Interestingly, all known Discord servers controlled by ChaosBot share a “#general” channel named “常规”, the Chinese word for “general.” This detail led researchers to believe the operators might be using a Chinese-language version of Discord, possibly running from Asia.
ChaosBot supports multiple commands, executed through PowerShell and reported back to Discord in real time. These include:
| Command | Description |
| shell <command> | Execute command via PowerShell and upload stderr/stdout to Discord channel as a TXT file named like command_result_<GUID>.txt or message.txt. |
| download <download_url> <dest_path> | Download a file to the victim device |
| scr | Screenshot the victim device and upload to Discord channel as a PNG file named like screenshot_<GUID>.png or screenshot.png |
| upload <src_path> | Upload specified file from victim device to Discord channel |
One notable feature is the UTF-8 encoding directive preceding every PowerShell command, ensuring ChaosBot properly handles multilingual text output from compromised systems.
ChaosBot exhibits advanced evasion features, including techniques to bypass Event Tracing for Windows (ETW) and detect virtualized environments.
The malware also performs MAC address checks to identify if it’s running inside VMware or VirtualBox, exiting immediately if virtualization is detected.
eSentire’s analysis showed ChaosBot deploying Fast Reverse Proxy (FRP) as a persistence mechanism. The attackers used FRP’s SOCKS5 plugin to create encrypted tunnels into the victim network via AWS Hong Kong IP 18.162.110[.]113.
In an intriguing experiment, the actors attempted to configure Visual Studio Code’s ‘Tunnel Service’ as an additional reverse shell. The command ultimately failed due to authentication prompts, suggesting the attackers were still refining their PowerShell syntax.
TRU identified two Discord accounts directly involved in ChaosBot operations:
- chaos_00019 (Created: June 7, 2024)
- lovebb0024 (Created: May 9, 2024)
Both accounts were observed sending and receiving commands across the bot-controlled Discord channels. Metadata also hints that the malware’s developer operates from a workstation named “ROSE0376”, a potential developer system ID embedded in the malware strings.
Related Posts:
- Warning: Discord’s API Exploited for Malicious Takeover
- Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit
- Russia Bans Discord Over Illegal Content Concerns
- Malicious PyPI Packages Expose User Credentials
- Cybercriminals Turn Discord into Malware Playground with Lumma Stealer
Donate