New Rust Malware ‘ChaosBot’ Turns Discord into a Hacker’s Remote Control

I found a new Rust-written backdoor called ChaosBot. It uses Discord, a regular chat platform, as its command-and-control channel. The attackers create a Discord channel for each infected computer and send commands there. The infected machine replies by uploading text, files, or screenshots into that channel. Because Discord is a legitimate service, using it helps the attackers hide their communications among normal traffic.

The attackers got inside networks in more than one way, but the main method was abusing stolen or over-privileged credentials. In observed cases they used compromised VPN credentials and an Active Directory account with too many rights. With those credentials they used Windows Management Instrumentation (WMI) to run commands and push the malicious payload to multiple systems inside the network.

Once they had access, the operators used DLL sideloading to make the malware run through a trusted program. The malicious DLL was observed under the name msedge_elf.dll and was loaded by a legitimate helper binary. Placing the DLL in a public folder let the trusted binary execute it, which helped the backdoor blend in and avoid immediate detection by casual monitoring.

ChaosBot itself is written in the Rust language and includes hard-coded Discord bot tokens and standard Rust web libraries. After connecting to Discord, it listens in a channel named after the victim machine for operator instructions. This architecture lets attackers run commands remotely and receive results over a mainstream chat service instead of using obvious command servers or custom networking.

The backdoor can run shell or PowerShell commands and return their output, download and run files on the victim, upload files from the victim for data theft, and capture screenshots. In addition, researchers saw the malware download and use a reverse-proxy tool to open an encrypted tunnel back to the attacker infrastructure. The operators also tested using Visual Studio Code’s tunnel feature as an additional remote access route.

Delivery was observed in two main forms: credential abuse for direct lateral deployment, and phishing that uses malicious Windows shortcut files (LNK). In the phishing cases, opening the shortcut ran a PowerShell downloader that fetched the backdoor while showing the victim a decoy PDF or document to distract them. That mix of credential compromise and social engineering helps the attackers succeed in different environments.

Some versions include evasion measures to make analysis harder. The malware can patch Event Tracing for Windows hooks to hide activity from basic monitoring tools, and it checks MAC address prefixes to avoid running inside common virtual machine environments used by analysts. These checks let the malware exit or behave differently if it detects analysis tooling, which slows down defenders’ ability to study it.

Given these facts, I recommend practical steps: enforce multi-factor authentication on VPNs and remote access, remove excessive privileges from service and admin accounts, monitor for unusual WMI activity and for DLLs being loaded from public or unexpected folders, and look for unexpected outbound connections that involve Discord bot tokens or unusual network tunnels. Keep systems patched, audit privileged accounts regularly, and revoke credentials quickly when compromise is suspected. If you want, I can put the technical indicators into a short alert or one-page notice you can share with your team.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news