New Variants of Chaos RAT Pose Serious Threat
Security researchers at Acronis Threat Research Unit (TRU) have uncovered new and more advanced versions of Chaos RAT, a formerly legitimate open-source remote administration tool that has now been weaponized by cybercriminals targeting both Windows and Linux systems.
Originally introduced in 2022 as a Golang-based cross-platform management utility on GitHub, Chaos RAT was initially intended for legitimate remote administration purposes. However, its user-friendly interface, versatility, and low detectability quickly caught the attention of malicious actors.
Enhanced Stealth and Persistence
The latest iterations of Chaos RAT, identified in 2025, exhibit significant enhancements such as improved system compatibility, more sophisticated obfuscation techniques, and stealth capabilities that enable it to operate covertly. Despite its lower distribution compared to mainstream malware, Chaos RAT's ability to maintain persistent access and avoid detection makes it an attractive tool for cybercriminals engaged in espionage, data breaches, and ransomware attacks.
Critical Vulnerability Discovered
Researchers have also uncovered a critical vulnerability in Chaos RAT's web-based control panel, allowing threat actors to remotely execute code on servers running the panel. This flaw could potentially enable them to wrest control from other malicious entities. While this vulnerability does not directly harm victims' devices, it highlights concerns regarding the insecure design practices in certain open-source software.
Evolution of Attack Strategies
In a recent incident reported from India to VirusTotal, a compressed file named NetworkAnalyzer.tar.gz was found to carry the Chaos RAT payload. Although the method of delivery to the victim remains unclear, researchers speculate that it was disguised as a Linux network analysis tool, potentially distributed through phishing emails or compromised websites. Initial attack campaigns utilized techniques like system file modifications and embedding cron jobs to ensure continual communication with servers controlled by the attackers.
This approach enables the malware to receive updates without requiring re-infection of systems, a tactic previously observed in campaigns involving cryptocurrency miners. The latest variant encrypts configuration details, such as IP addresses and ports, in a base64-encoded format, a departure from earlier versions that stored such information in plain text. This alteration significantly complicates analysis and reverse engineering, underscoring Chaos RAT's transition from a simple open-source utility to a sophisticated cyber threat.
