The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

New Chaos RAT Variants Observed

Jun 16, 2025 1:57:09 PM / by The Hivemind

NEW CHAOS RATVerticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: None identified

Executive Summary

New variants of Chaos RAT, an open-source remote administration tool (RAT) first observed in 2022, have been identified. The new variants target both Windows and Linux systems through sophisticated phishing campaigns. This evolving malware deploys cryptominers, steals sensitive data, and establishes persistent control over infected devices.

Key Takeaways

  • Chaos RAT has evolved from an open-source tool into a versatile malware targeting Windows and Linux platforms.
  • The malware spreads via phishing emails with malicious PDFs that initiate a multi-stage infection chain.
  • It employs advanced obfuscation and anti-analysis techniques to evade detection.
  • Capabilities include cryptocurrency mining, data theft, and full device control, posing significant risks to affected systems.

What is Chaos RAT?

The Acronis Threat Research Unit has uncovered new variants of Chaos RAT, a remote administration tool (RAT) that has transitioned from an open-source project into a formidable malware threat. Initially documented in 2022, Chaos RAT has evolved significantly, with recent campaigns targeting both Windows and Linux systems. Written primarily in C++, the malware leverages a sophisticated infection chain to compromise systems, steal data, and deploy unauthorized cryptocurrency miners, posing a substantial risk to organizations and individuals alike.

Chaos RAT spreads primarily via phishing emails containing malicious PDF attachments. These PDFs exploit user interaction by prompting victims to click embedded links, which initiate the download of malicious payloads. On Windows systems, the infection begins with a JavaScript file that fetches a ZIP archive containing a BAT script. This script executes a series of commands to download and run the final Chaos RAT payload, establishing persistence through scheduled tasks and registry modifications. On Linux, the malware masquerades as a legitimate network diagnostic tool, such as "NetworkCheck," to deceive users. It employs shell scripts to retrieve and execute the RAT, often using obfuscated URLs and encrypted payloads to bypass security controls.

The technical sophistication of Chaos RAT is evident in its multi-stage delivery and anti-analysis techniques. The malware uses complex obfuscation, including encoded strings and dynamic API resolution, to hinder reverse engineering. It also implements checks to detect virtualized environments and sandboxes, ensuring it only executes in favorable conditions. Once deployed, Chaos RAT grants attackers extensive control over infected systems. Capabilities include keylogging, screen capture, file exfiltration, and remote command execution. Additionally, it deploys cryptocurrency mining modules, leveraging system resources to generate illicit profits while degrading performance.

While targeted verticals or geographic regions were not specified, the dual-platform targeting of Windows and Linux suggests a broad attack surface, potentially affecting diverse industries. Its open-source origins have facilitated rapid iteration by threat actors, who have enhanced its feature set and evasion tactics since its inception. PolySwarm analysts consider Chaos RAT to be an evolving threat. 

IOCs

PolySwarm has multiple samples of Chaos RAT.

 

1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0

77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c

44c54d9d0b8d4862ad7424c677a6645edb711a6d0f36d6e87d7bae7a2cb14d68

c9694483c9fc15b2649359dfbd8322f0f6dd7a0a7da75499e03dbc4de2b23cad

080f56cea7acfd9c20fc931e53ea1225eb6b00cf2f05a76943e6cf0770504c64

a583bdf46f901364ed8e60f6aadd2b31be12a27ffccecc962872bc73a9ffd46c

a364ec51aa9314f831bc498ddaf82738766ca83b51401f77dbd857ba4e32a53b

a6307aad70195369e7ca5575f1ab81c2fd82de2fe561179e38933f9da28c4850

c39184aeb42616d7bf6daaddb9792549eb354076b4559e5d85392ade2e41763e

719082b1e5c0d18cc0283e537215b53a864857ac936a0c7d3ddbaf7c7944cf79

 

You can use the following CLI command to search for all Chaos RAT samples in our portal:

$ polyswarm link list -f ChaosRAT

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Malware, Data Theft, Evolving Threat, Cybersecurity, Chaos RAT, Remote Administration Tool, Linux Malware, Windows Malware, Phishing Attacks, Cryptocurrency Mining

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More