Rust-Engineered ChaosBot Leverages Discord for Covert Command & Control

Published 2025-10-22 15:00:59 | cyberpress.org
Malware Rust Discord C2 Cybersecurity Sector: General Region: Global

🎙️ Paranoid Newscast

🎭
Credibility
75%
📊
Risk Score
72%
🎲
Likelihood
8/10
💥
Impact
9/10
🛡️
Priority
4/5
A new strain of Rust-based malware, dubbed ChaosBot, exploits the Discord platform for its Command and Control operations, embedding malicious activity behind legitimate traffic. Its advanced evasion capabilities pose significant challenges for defenders.

A new strain of Rust-based malware, dubbed ChaosBot, has been uncovered exploiting the Discord platform for its Command and Control (C2) operations. Unlike typical botnets, ChaosBot embeds its malicious activity behind legitimate Discord traffic, creating covert communication channels between infected hosts and attackers. The malware’s advanced evasion capabilities and use of trusted services make it a significant challenge for defenders.

Discord-Driven Attack Chain and Capabilities

ChaosBot operates by validating its access through the Discord Bot API, then automatically creating a private text channel named after the infected host’s computer. This channel acts as a hidden interactive shell where attackers issue commands such as shell, download, and scr (screenshot). The compromised machine responds directly by uploading command outputs and exfiltrated data as attachments to the same Discord channel, blending seamlessly with expected encrypted traffic flows.

The initial infection occurs through two primary methods. In one scenario, attackers used compromised VPN and Active Directory credentials to remotely deploy the payload via Windows Management Instrumentation (WMI). The malware, disguised as msedge_elf.dll, is loaded through a side-loading technique using the legitimate identity_helper.exe binary. An alternative infiltration vector comes in the form of malicious shortcut (.lnk) phishing emails masquerading as official correspondence from the State Bank of Vietnam. The embedded shortcut runs a PowerShell script that downloads both a decoy PDF document and the ChaosBot payload, using the fake document to distract victims and conceal the infection.

Stealth, Persistence, and Cloud Misuse

ChaosBot showcases robust anti-analysis mechanisms, including patching the Windows EtwEventWrite function to disable event tracing and checking MAC address prefixes to detect virtualized environments. This allows it to evade common sandboxing and endpoint detection tools. Once established, the backdoor employs Discord as its C2 medium using the reqwest or serenity library for API interaction. It further deploys the Fast Reverse Proxy (FRP) tool disguised as node.exe to communicate with attacker-controlled infrastructure hosted on AWS in Hong Kong. Operators also experimented with Microsoft’s Visual Studio Code Tunnels for remote persistence, indicating their active pivot to legitimate cloud frameworks for stealthy remote access.

Security researchers from eSentire warn that ChaosBot’s layered abuse of trusted platforms exemplifies a growing trend among Rust-based malware families. Organizations are advised to enforce MFA, limit WMI usage, monitor Discord API traffic, and strengthen endpoint detection for in-memory tampering.