New Chaos RAT Variants Targeting Windows and Linux Systems to Steal Sensitive Data

The Acronis Threat Research Unit has identified new variants of Chaos RAT, a remote administration tool (RAT) that has evolved from an open-source project first observed in 2022 into a formidable multi-platform malware.

These latest iterations of Chaos RAT are now targeting both Windows and Linux systems, showcasing an alarming level of sophistication through phishing-driven infection chains and advanced evasion techniques.

A Sophisticated Evolution of an Open-Source Threat

Written primarily in C++, this malware is being leveraged by threat actors to deploy cryptominers, steal sensitive data, and establish persistent control over compromised devices, posing a severe risk to organizations and individuals across diverse industries.

Chaos RAT spreads predominantly through phishing campaigns, utilizing malicious PDF attachments embedded in emails to lure unsuspecting users into initiating the infection process.

On Windows systems, clicking embedded links in these PDFs triggers the download of a JavaScript file, which subsequently retrieves a ZIP archive containing a BAT script.

This script executes a sequence of commands to download and deploy the final Chaos RAT payload, ensuring persistence through scheduled tasks and registry modifications.

Multi-Stage Infection

On Linux platforms, the malware disguises itself as a legitimate network diagnostic tool, often named “NetworkCheck,” using shell scripts to fetch and execute the RAT from obfuscated URLs with encrypted payloads, evading traditional security controls.

The technical prowess of Chaos RAT is further highlighted by its multi-stage delivery mechanism and robust anti-analysis techniques, including encoded strings, dynamic API resolution, and checks for virtualized environments or sandboxes to prevent detection and reverse engineering.

Once deployed, Chaos RAT grants attackers extensive control over infected systems, enabling capabilities such as keylogging, screen capture, file exfiltration, and remote command execution.

Additionally, it installs cryptocurrency mining modules that exploit system resources for illicit profit, severely impacting device performance.

The dual-platform targeting broadens its attack surface, making it a versatile threat capable of affecting a wide range of environments.

According to PolySwarm analysts Report, the open-source nature of Chaos RAT has fueled rapid iterations by threat actors, who continue to enhance its feature set and evasion tactics, positioning it as an evolving and persistent danger in the cybersecurity landscape.

While specific targeted regions or industries remain undisclosed, the malware’s adaptability underscores the urgent need for robust defense mechanisms and heightened user awareness to mitigate its impact.

Indicators of Compromise (IOCs)

Below is a table of known IOCs associated with Chaos RAT samples provided by PolySwarm for reference in threat detection and mitigation efforts:

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates