Evolving Threat: New Chaos RAT Variants Target Windows and Linux in 2025
TL;DR
- New Chaos RAT Variants: Researchers at Acronis identified new variants of Chaos RAT targeting Windows and Linux systems in 2025.
- Key Findings: The RAT continues to evolve, with recent samples exploiting vulnerabilities in its web panel and using social engineering tactics.
- Impact: Chaos RAT poses significant risks for espionage, data exfiltration, and post-compromise operations, highlighting the growing threat of open-source malware.
Main Content
Acronis researchers reported that new Chaos RAT variants were employed in 2025 attacks against Linux and Windows systems.
Acronis TRU researchers have uncovered new variants of Chaos RAT targeting both Linux and Windows systems in recent cyberattacks. Initially observed in 2022, Chaos RAT has continued to evolve, with fresh samples emerging in 2025. The researchers also discovered a critical flaw in the RAT’s web panel that enables remote code execution. The latest variant employs social engineering tactics, tricking victims into downloading a fake Linux network troubleshooting tool, thereby expanding its infection methods.
"Developed in Golang, Chaos RAT offers cross-platform compatibility with Windows and Linux systems — another clear example of how useful legitimate tools can contain vulnerabilities and be repurposed for cybercriminal activities." reads the report published by Acronis. "While overall use remains limited, recent samples confirm Chaos RAT is still active. Its low detection profile creates opportunities for espionage, data exfiltration, and establishing footholds for ransomware and other post-compromise operations."
About Chaos RAT
Chaos RAT is an open-source remote access tool (RAT) built in Golang, designed to work across both Windows and Linux systems. Inspired by tools like Cobalt Strike and Sliver, it includes an admin panel where attackers can create payloads, manage sessions, and control infected devices. While Golang-based malware is typically larger and slower than C++ versions, it offers easier cross-platform support and faster development, making it appealing to cybercriminals.
Initially developed for legitimate remote management, Chaos RAT has been repurposed by threat actors due to its open-source nature. Though development began in 2017, it was first employed in real-world attacks in late 2022, mainly targeting Linux systems in crypto-mining campaigns. Its growing use underscores the importance of understanding its architecture, attack methods, and how to detect and defend against it.[^1]
Attack Methods
Chaos RAT often spreads through phishing emails containing malicious links or attachments. Early attacks utilized cron jobs to remotely update payloads, allowing attackers to deploy crypto miners or Chaos RAT without re-accessing the system. The RAT was primarily used for reconnaissance. In a recent case from India, a file named NetworkAnalyzer.tar.gz contained the RAT, disguised as a Linux network tool, indicating the use of social engineering to deceive victims.[^2]
Capabilities
Chaos RAT offers a range of commands for system control and data theft, including:
- Gathering OS and user information
- Taking screenshots
- Rebooting or shutting down the system
- Locking or signing out users (Windows only)
- Browsing and managing files (explore, upload, download, delete)
- Opening URLs in the default browser
These capabilities allow operators to control infected systems and exfiltrate data remotely. Chaos RAT enables attackers to manage files, open reverse shells, and proxy network traffic, which are functions useful for spying, stealing data, or setting the stage for ransomware.
"What starts as a developer’s tool can quickly become a threat actor’s instrument of choice. This Go-based RAT offers a simple web interface and powerful system controls across Windows and Linux, offering reverse shells, file manipulation, and remote command execution on compromised systems." concludes the report. "Chaos has been spotted in the wild and represents a growing issue in cybersecurity: The weaponization of open-source software. With rapid deployment capabilities, stealthy Linux targeting, and flexible configuration, it’s a reminder that open source is a double-edged sword — and in the wrong hands, it can cut deep."[^3]
Follow Security Affairs
Follow for more updates:
(SecurityAffairs – hacking, malware)
For more details, visit the full article: source
Conclusion
The evolution of Chaos RAT highlights the ongoing threat posed by open-source malware. As cybercriminals continue to exploit vulnerabilities in legitimate tools, it is crucial for organizations to stay vigilant and implement robust detection and defense mechanisms. Understanding the tactics and capabilities of tools like Chaos RAT is essential for mitigating risks and protecting against future attacks.