Threat Hunter is bringing attention to a new variant of the remote access Trojan horse (rat) Chaos Rat It has been used in recent attacks targeting Windows and Linux systems.
According to Acronis research findings, malware artifacts may have been distributed by trinking victims to download network troubleshooting utility in Linux environments.
“Chaos Rat is an open source rat written in Golang and provides cross-platform support for both Windows and Linux systems,” security researchers Santiago Pontiroli, Gabor Molnar and Kirill Antonenko said in a report shared with Hacker News.
“Inspired by popular frameworks like Cobalt Strike and Sliver, Chaos Rat offers an admin panel that lets users build payloads, establish sessions and control compromised machines.”
Work on the “Remote Management Tool” began in 2017, but it didn’t attract attention until December 2022, when it was used in malicious campaigns targeting public web applications hosted on Linux Systems using XMRIG Cryptocurrency Miner.
Once the installation is installed, the malware will connect to an external server, launch a reverse shell, upload/download/delete files and deletions, enumerate files and directories, take screenshots, gather system information, lock/restart/shutdown the machine, and wait for commands that can open any URL. The latest version of Chaos Rat is 5.0.3 and was released on May 31, 2024.
Acronis said Linux variants of malware are often detected in the wild, in connection with cryptocurrency mining campaigns. The attack chain observed by the company indicates that chaos lats are distributed to victims via phishing emails containing malicious links or attachments.
These artifacts are designed to allow you to regularly retrieve malware as a way to set up persistence by dropping malicious scripts that can modify the task scheduler “/etc/crontab”.
“Early campaigns used this technique to provide cryptocurrency miners and chaos rats individually, indicating that chaos was primarily adopted for reconnaissance and intelligence gathering on compromised devices,” the researchers said.
An analysis of a recent sample uploaded from India to Virustotal in January 2025 from India named “NetworkAnalyzer.tar.gz” has increased the likelihood that users are being deceived by malware downloads by masquerading as a network troubleshooting in Linux environments.
Furthermore, admin panels that allow users to build payloads to manage infected machines are known to be susceptible to command injection vulnerabilities (CVE-2024-30850, CVSS score: 8.8) that can be combined with cross-site scripting flaws (CVE-2024-31839, CVSS score: 4.8). Both vulnerabilities have since been addressed by Chaos Rat maintainers as of May 2024.
While it is not clear who is behind the use of chaos lats in real-world attacks at present, this development once again shows how threat actors can weaponize open source tools in their advantage and continue to disrupt attribution efforts.
“What starts as a developer’s tool can quickly become a means of selecting threat actors,” the researchers said. “With publicly available malware, APT groups blend into the noise of everyday cybercrime. Open source malware offers a ‘sufficient’ toolkit that can be customized and deployed quickly. When multiple actors use the same open source malware, the water of attribution becomes confusing. ”
This disclosure coincides with the emergence of new campaigns targeting Trust Wallet users on desktops via a bundle of software intended to target Trust Wallet users on desktops, via down-download links, phishing emails, or browser entitlements, extract data from desktop-based wallets, extract from browser extensions, execute instructions, and act as clipper malware.
“When installed, malware can scan wallet files, intercept clipboard data, and monitor browser sessions by capturing seed phrases and private keys,” Point Wild Researcher Kedar S Pandit said in a report published this week.
