Cybersecurity firm eSentire has uncovered a sophisticated new Rust-based malware, dubbed “ChaosBot,” which uses legitimate Discord services for command-and-control (C2) operations. The discovery was made in late September 2025 by eSentire’s Threat Response Unit (TRU) while investigating a breach within a financial services organization.
According to eSentire, ChaosBot was deployed using compromised credentials, including a CiscoVPN account and an over-privileged Active Directory account named “serviceaccount.” Once inside the network, attackers leveraged Windows Management Instrumentation (WMI) to execute remote commands and install the malware across multiple systems.
The ChaosBot payload, identified as msedge_elf.dll, was side-loaded through Microsoft Edge’s legitimate component identity_helper.exe from the public user profile directory, making detection more difficult.
The malware’s capabilities include system reconnaissance and the deployment of a fast reverse proxy (frp) to establish persistent access. Analysts also observed that attackers experimented with Visual Studio Code, attempting to configure a VS Code Tunnel service as an additional backdoor, enabling remote command and script execution.
Further investigation by TRU revealed that ChaosBot operators target Vietnamese speakers predominantly, though attacks are not limited to this demographic. Attack campaigns frequently rely on phishing using malicious Windows Shortcut files (.lnk) that launch PowerShell commands to download and execute ChaosBot.
To avoid suspicion, these shortcuts simultaneously open seemingly legitimate PDFs, masquerading as correspondence from the State Bank of Vietnam.
eSentire emphasized that its Security Operations Centers (SOCs), staffed 24/7 with elite threat hunters and cyber analysts, were able to rapidly identify and contain the threat.
The company’s TRU team supports its SOCs with advanced threat analytics, tactical threat response, and threat intelligence, helping clients respond to nation-state-level attacks and sophisticated malware campaigns like ChaosBot.
The malware’s name is derived from a Discord profile, “chaos_00019,” linked to the threat actor orchestrating the attacks. Analysts warn that this campaign demonstrates how attackers are increasingly leveraging legitimate platforms like Discord to bypass traditional security defenses, highlighting the importance of continuous monitoring and proactive threat hunting.
This discovery underscores the evolving threat landscape and the need for enterprises to combine advanced security technologies with expert human oversight to detect, investigate, and mitigate sophisticated attacks in real time.
About the Author
