Chaos-C++ ransomware variant
Malware Activity
Summary
Hide ▲
Show ▼
The Chaos-C++ variant now adds destructive file deletion and clipboard hijacking, increasing ransomware impact and the risk of Bitcoin theft on victim systems. The rewrite makes the malware harder to disrupt during execution and more efficient at processing large volumes of files. It shifts the family beyond encryption alone by combining data loss with covert financial redirection. The new behavior broadens the threat posed by Chaos ransomware.
Related Happenings
Kraken ransomware benchmarking full-or-partial encryption
Malware Activity
First: 14.11.2025 00:53
Last: 14.11.2025 00:53
Sources 1
About this happening:
**Kraken ransomware** is a **Russian-speaking** operation linked to the **HelloKitty cartel** that has been observed in **August 2025** using **SMB abuse**, **Cloudflare** persist...
Kraken ransomware benchmarking full-or-partial encryption
Malware ActivityAbout this happening: **Kraken ransomware** is a **Russian-speaking** operation linked to the **HelloKitty cartel** that has been observed in **August 2025** using **SMB abuse**, **Cloudflare** persist...
Kraken ransomware HelloKitty-linked double-extortion campaign
Campaign
First: 14.11.2025 00:53
Last: 14.11.2025 00:53
Sources 1
About this happening:
**Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...
Kraken ransomware HelloKitty-linked double-extortion campaign
CampaignAbout this happening: **Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...
Velociraptor DFIR abuse for ransomware persistence
Malware Activity
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Velociraptor DFIR abuse for ransomware persistence
Malware ActivityAbout this happening: The **Velociraptor** DFIR tool is being abused in **ransomware attacks** tied to **Storm-2603** (aka **CL-CRI-1040**/**Gold Salem**), with **ToolShell** used for initial access to...
Storm-2603 Velociraptor-abuse ransomware campaign
Campaign
First: 09.10.2025 22:31
Last: 09.10.2025 22:31
Sources 1
About this happening:
The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Storm-2603 Velociraptor-abuse ransomware campaign
CampaignAbout this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...
Timeline
-
09.10.2025 12:44 2 articles · 7mo ago
FortiGuard Labs identifies Chaos-C++ ransomware variant
Initial DisclosureFortiGuard Labs identified a new C++ variant of Chaos ransomware that adds destructive file handling and clipboard hijacking for cryptocurrency theft. Chaos-C++ uses size-based encryption behavior that deletes the contents of very large files instead of encrypting them, and it replaces copied Bitcoin addresses with a hardcoded attacker-controlled Bech32 Bitcoin wallet via the Windows Clipboard API. FortiGuard Labs and Fortinet also published detection coverage for Chaos samples and IoCs for defenders.
Show sources
- Chaos Ransomware Upgrades with Aggressive New C++ Variant — www.darkreading.com — 09.10.2025 12:44
- Chaos Ransomware Upgrades with Aggressive New C++ Variant — www.darkreading.com — 09.10.2025 12:44