November 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Astaroth Banking Trojan Exploits GitHub to Stay Active After Takedowns – Active IOCs
October 14, 2025Multiple WordPress Plugins Vulnerabilities
October 15, 2025Astaroth Banking Trojan Exploits GitHub to Stay Active After Takedowns – Active IOCs
October 14, 2025Multiple WordPress Plugins Vulnerabilities
October 15, 2025
Severity
High
Analysis Summary
ChaosBot is a modern, Rust-based backdoor that emerged in late September 2025 and blends polished development with weaponized use of legitimate services. Initial access was achieved through a combination of compromised CiscoVPN credentials and an over-privileged Active Directory service account (noted as “serviceaccount”), allowing attackers to execute WMI commands and drop the ChaosBot payload (msedge_elf.dll) across hosts. The group abused side-loading by placing a malicious DLL alongside the legitimate Microsoft Edge component identity_helper.exe in C:\Users\Public\Libraries, making detection harder by masquerading as a trusted binary.
According to the Researcher, after foothold, the malware establishes resilient, stealthy connectivity and reconnaissance channels. ChaosBot downloads and runs an frp reverse proxy (with node.exe and node.ini) dropped to C:\Users\Public\Music and invoked via PowerShell to open a hidden tunnel (observed communicating to an AWS host over port 7000). This fast reverse proxy both maintains persistent access and bypasses perimeter controls to support broad lateral movement driven by WMI and remote execution.
For command-and-control the operators repurpose mainstream services: ChaosBot validates an embedded Discord bot token (GET https://discord.com/api/v10/users/@me), creates a channel named after the victim hostname (POST https://discord.com/api/v10/guilds/<GUILD_ID>/channels), and receives commands and sends results back over Discord. Commands are launched in new PowerShell processes (prefixed with UTF-8 encoding to preserve output), and results stdout/stderr, screenshots, and files are uploaded using multipart/form-data POSTs. Analysts observed the actor operating through a Discord identity “chaos_00019”, indicating deliberate use of popular platforms to hide C2 traffic among benign service use.
The infection lifecycle also leverages social engineering: phishing emails delivered malicious .lnk shortcuts that run PowerShell one-liners to fetch dropper.exe and launch chaosbot.exe while opening a decoy State Bank of Vietnam PDF to distract victims. Together with asset masquerading (using built-in Windows binaries), robust encoding practices, and a dual vector strategy (credential abuse + malicious shortcuts), ChaosBot presents a highly evasive, enterprise-grade threat focused on Vietnamese-language environments but tested for lateral movement across varied targets making detection and remediation particularly challenging.
Impact
- Gain Access
Indicators of Compromise
Domain Name
transferai-all.s3.dualstack.ap-southeast-1.amazonaws.com
erspce-all.s3.dualstack.ap-southeast-1.amazonaws.com
MD5
8ce241f53875064b81f6462f0f6c2741
e4a9dc649458aff7f68af6f847071683
8b52e7bee4b9c9cacb0442d836ce5469
SHA-256
- a118b24f3b299c7f94f8e2833e98afd19d638b5aa4008e9de1e9667fe9b2b8c6
- 6903c1d509c843a53e03bb04d09b35d144bce527d7e6361f241cc00161c7c837
- e6faa8dfcac72b506105d43ca037d599fbe4df531730553689492f153677537f
SHA1
ef4fc056cedb742ead67baeeeee9531be50b3b97
317725b59618739899de3d5f0d37c94f45a3488d
c9a5f19666d55198a778b6f7a8051d7ac9a690b1
URL
- https://transferai-all.s3.dualstack.ap-southeast-1.amazonaws.com/app/index/code.exe
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Revoke and rotate all CiscoVPN and AD credentials, including the over-privileged “serviceaccount.”
- Terminate all active VPN sessions and disable any suspicious or compromised accounts.
- Isolate infected systems from the network to stop lateral movement and further compromise.
- Locate and delete malicious files such as node.exe, node.ini, msedge_elf.dll, and any unauthorized identity_helper.exe instances.
- Stop suspicious processes using PowerShell, WMI, or running on port 7000, and remove related scheduled tasks.
- Identify and delete all malicious .lnk shortcut files used for phishing-based execution.