CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chaos Ransomware Evolves with C++ and Rust-Based Variants

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The Chaos ransomware operation has evolved significantly with the introduction of a new C++ variant and a Rust-based backdoor named ChaosBot. The C++ variant introduces aggressive tactics, including destructive file deletion and clipboard hijacking for cryptocurrency theft. ChaosBot, detected in late September 2025, uses Discord for command-and-control and employs sophisticated evasion techniques. The ransomware waits 15 seconds after execution to avoid sandbox detection and starts by enumerating user directories. It targets specific file sizes for encryption, skipping some to reduce detection and deleting very large files to cause irreversible data loss. The clipboard hijacking feature redirects Bitcoin payments to the attacker's wallet. The new variant of Chaos ransomware is designed to maximize financial gain through both destructive encryption and covert financial theft. It targets specific file sizes for encryption, skipping some to reduce detection and deleting very large files to cause irreversible data loss. The clipboard hijacking feature redirects Bitcoin payments to the attacker's wallet. The ransomware-as-a-service operation specializes in big-game hunting and double-extortion attacks. FortiGuard Labs has provided detailed technical analysis and indicators of compromise (IoCs) for the new variant.

Timeline

  1. 13.10.2025 08:12 1 articles · 2d ago

    ChaosBot Rust-Based Backdoor Uses Discord for Command-and-Control

    ChaosBot, a new Rust-based backdoor, was first detected in late September 2025 within a financial services customer's environment. It uses Discord for command-and-control and leverages compromised credentials and WMI to execute remote commands across systems in the network. ChaosBot uses phishing messages containing malicious Windows shortcut (LNK) files as a distribution vector and employs evasion techniques to bypass ETW and virtual machines.

    Show sources
    Open in new tab
  2. 09.10.2025 12:44 2 articles · 6d ago

    New C++ Variant of Chaos Ransomware Introduces Aggressive Tactics

    The new C++ variant introduces aggressive tactics, including destructive file deletion and clipboard hijacking for cryptocurrency theft. The ransomware waits 15 seconds after execution to avoid sandbox detection and starts by enumerating user directories. It targets specific file sizes for encryption, skipping some to reduce detection and deleting very large files to cause irreversible data loss. The clipboard hijacking feature redirects Bitcoin payments to the attacker's wallet. The ransomware downloader poses as bogus utilities like System Optimizer v2.1 to trick users into installing it. It checks for the presence of a file named "%APPDATA%\READ_IT.txt" to avoid re-execution and inhibits system recovery before launching the encryption process. It employs a combination of symmetric or asymmetric encryption and a fallback XOR routine.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign using MostereRAT, a banking malware-turned-RAT, targets Japanese Windows users. The malware employs sophisticated evasion techniques, including the use of an obscure programming language and disabling of security tools, to maintain long-term access and control over compromised systems. The campaign begins with phishing emails that lure victims into downloading a malicious Word document. Once installed, MostereRAT deploys multiple modules to achieve persistence, privilege escalation, and remote access. The malware is designed to evade detection and disable various antivirus and endpoint detection and response (EDR) products, making it difficult for defenders to detect and mitigate the threat. The primary goal of MostereRAT is to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool. It can also perform Early Bird Injection to inject an EXE into svchost.exe.

Open in new tab

Emergence of AI-Powered Ransomware Strain PromptLock

A new AI-powered ransomware strain, named PromptLock, has been identified by ESET researchers. The ransomware leverages an AI model to generate Lua scripts on the fly, complicating detection and defense. PromptLock is not yet active in the wild but is nearly ready for deployment. It can exfiltrate files and encrypt data, with plans to add file destruction capabilities. The ransomware was uploaded to VirusTotal from the United States and is written in Go, targeting both Windows, Linux, and macOS systems. The Bitcoin address used for ransom payments is linked to Satoshi Nakamoto. The development of AI-driven ransomware presents new challenges for cybersecurity defenders. The ransomware strain was discovered by Anton Cherepanov and Peter Strycek, who shared their findings on social media 18 hours after detecting samples on VirusTotal. The use of AI in ransomware introduces variability in indicators of compromise (IoCs), making detection more difficult. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine. The attacker can establish a proxy or tunnel from the compromised network to a server running the Ollama API with the gpt-oss-20b model.

Open in new tab

Malware Persistence Techniques and Defense Strategies

Malware persistence techniques allow attackers to maintain access to compromised systems despite reboots or disruptions. These methods include altering configurations, injecting startup code, and hijacking legitimate processes. Defending against these techniques requires a multi-layered approach that includes detection, prevention, and incident response. Wazuh, an open-source security solution, offers several capabilities to defend against malware persistence techniques. These include File Integrity Monitoring (FIM), Security and Configuration Assessment (SCA), log data analysis, and vulnerability detection. The impact of malware persistence techniques includes extended dwell time, remediation evasion, data exfiltration, deployment of additional malware, and compromised regulatory compliance.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

The FileFix social engineering attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Previously, threat actors tracked as UNC5518 leveraged a social engineering tactic called ClickFix to deploy the CORNFLAKE.V3 backdoor. The campaign used fake CAPTCHA pages to trick users into executing malicious PowerShell scripts, providing initial access to systems. This access was then monetized by other threat groups, including UNC5774 and UNC4108, which deployed additional payloads. The attack began with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users were then tricked into running a malicious PowerShell command, which downloaded and executed the CORNFLAKE.V3 backdoor. This backdoor supported various payload types and could collect system information, which was transmitted via Cloudflare tunnels to evade detection. CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and additional payload support. The campaign also involved the deployment of WINDYTWIST.SEA, a backdoor that supports lateral movement within infected networks.

Open in new tab