ChaosBot – Rust-Based Malware Using Discord for Command and Control

Aegiron 7 mins0

What is ChaosBot?

ChaosBot is a newer piece of malware written in Rust that attackers are starting to use more often. Instead of talking to a shady-looking server, it uses Discord to receive instructions and send data back. Because Discord is a normal, widely used service, ChaosBot’s traffic often blends in with everyday network activity and slips past firewalls and proxies without being blocked.

Rust makes the malware harder to analyze, and Discord gives it a place to hide in plain sight.

How ChaosBot usually gets onto a system

ChaosBot doesn’t rely on exploits most of the time. It usually shows up after a user is tricked into running something they shouldn’t:

  • Fake installers or “cracked” software
  • Malicious scripts sent through email or chat
  • Trojanized tools downloaded from unofficial sites
  • Second-stage payloads dropped after another compromise

Once it runs, it immediately connects out to Discord and waits for instructions.

How command and control works

ChaosBot uses Discord in a very straightforward way:

  • Connects over HTTPS on port 443
  • Talks to Discord’s API just like a real client would
  • Listens in attacker-controlled servers or channels
  • Receives commands as messages
  • Sends system info and results back as text or small file uploads

From a network point of view, it looks like normal Discord traffic unless you look closely at who is using it and how.

What ChaosBot can do

ChaosBot is not flashy, but it’s capable:

  • Runs commands sent by the attacker
  • Collects basic system information
  • Downloads and runs additional malware
  • Maintains persistence across reboots
  • Updates or removes itself if told to
  • Acts as a foothold for later attacks

It’s designed to stay quiet and flexible rather than cause immediate damage.

How it stays persistent

ChaosBot usually sticks around using simple methods:

  • Registry run keys
  • Scheduled tasks
  • Startup folder shortcuts
  • User-level persistence to avoid admin prompts

It often uses harmless-looking names so it doesn’t stand out to users.

Indicators of Compromise (IoCs)

Discord domains commonly used

(legitimate on their own, suspicious in the wrong context)

  • discord[.]com
  • discordapp[.]com
  • cdn.discordapp[.]com

Discord webhook and API patterns

  • discord[.]com/api/webhooks/*
  • discordapp[.]com/api/webhooks/*
  • discord[.]com/api/v*/channels/*

Webhook traffic from servers or background processes is a strong red flag.

IP ranges commonly seen in Discord traffic

(these are shared infrastructure, focus on behavior)

  • 162.159.128[.]0/17
  • 104.16.0[.]0/12
  • 172.64.0[.]0/13
  • 188.114.96[.]0/20

Unexpected communication to these ranges from non-user systems should be reviewed.

File and process indicators

  • Unknown .exe files located in:
    • %AppData%
    • %LocalAppData%
    • %Temp%
  • Executables compiled in Rust
  • No digital signature
  • Filenames mimicking legitimate tools or updates

Behavioral signs on endpoints

  • Discord traffic from:
    • Servers
    • Domain controllers
    • Systems without Discord installed
  • Scheduled tasks pointing to user directories
  • Background processes making frequent HTTPS calls to Discord

Detection Queries (Simple Examples)

Discord traffic from systems that shouldn’t use it

destination_domain CONTAINS "discord"
AND host_role NOT IN ("workstation")

Discord API usage outside of browsers

url CONTAINS "/api/"
AND destination_domain CONTAINS "discord"
AND process_name NOT IN ("chrome.exe", "msedge.exe", "firefox.exe")

Rust executables running from user folders

file_extension = ".exe"
AND file_path CONTAINS ("AppData", "Temp")
AND binary_language = "Rust"

Suspicious scheduled task creation

event_type = "scheduled_task_created"
AND task_command CONTAINS ("AppData", "Temp")

MITRE ATT&CK Mapping (High-Level)

Initial Access

  • T1566 – Phishing
  • T1204 – User Execution

Execution

  • T1059 – Command and Scripting Interpreter

Persistence

  • T1053 – Scheduled Task / Job
  • T1547 – Logon Autostart Execution

Command and Control

  • T1102 – Web Service (Discord abuse)
  • T1071.001 – Web Protocols

Defense Evasion

  • T1036 – Masquerading
  • T1027 – Obfuscated Files

How to reduce risk

Quick wins

  • Block Discord access on servers unless explicitly required
  • Alert on Discord API calls from background processes
  • Review webhook usage regularly

Hardening

  • Prevent execution from user-writable directories
  • Monitor scheduled task creation
  • Limit what unsigned executables can run

User awareness

  • Discourage use of cracked or unofficial software
  • Remind users not to run unknown installers or scripts

Why ChaosBot works

ChaosBot is effective because:

  • It hides inside trusted infrastructure
  • It doesn’t need custom C2 servers
  • It keeps its activity low
  • It blends into normal HTTPS traffic

Traditional blocking doesn’t work well unless behavior is monitored.

Bottom line

ChaosBot is a good example of modern malware that hides in plain sight. If Discord traffic isn’t being monitored, this malware can sit quietly on a system and wait for further instructions. Detection needs to focus on context and behavior, not just domains or IPs.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.