Discord knows no rest and begins to distribute a new trojan through direct messages

Cybersecurity researchers have reported on a new Rust-based Trojan called ChaosBot, initially detected in September 2025 in a financial services environment. This malware allows operators to execute remote commands on compromised systems and has been observed interacting through Discord profiles. Users associated with this activity are ‘chaos_00019’ and ‘lovebb0024’.

Never open files from unknown profiles or suspicious messages

ChaosBot is predominantly distributed through phishing messages that include a malicious Windows shortcut. When a user opens the file, a PowerShell command is executed that downloads the malware. This disguises itself as a malicious DLL file and seeks to establish a persistent access tunnel to the compromised network through a reverse proxy. During its operation, the malware can receive additional instructions through the Discord channel set up by the attackers, enhancing its command and control capabilities.

In addition, a variant of ransomware associated with Chaos has been identified that is distinguished by deleting files instead of encrypting them. This variant also employs techniques to manipulate the clipboard, with the aim of redirecting cryptocurrency transfers, thereby increasing its danger and complexity. This dual approach of destructive extortion and financial theft reflects a shift towards more aggressive and multifaceted tactics by malicious actors.

ChaosBot has proven to be difficult to detect, using techniques to evade tracking on Windows systems, such as modifying functions and checking MAC addresses associated with virtual machines. Analysts warn that this malware not only poses a direct threat to the security of systems but also to the finances of users, affecting cryptocurrency platforms.

Discord DOWNLOAD