Skip to content

Chaos RAT is enhancing cryptojacking attacks

  • by
  • 3 min read
What is cryptojacking? How to detect and prevent it

Researchers at Trend Micro have discovered a new cryptojacking malware family that uses the Chaos Remote Administrative Tool to take control of a victim’s computer while also installing the XMRig crypto-mining malware.

The malware functions as a RAT (Remote Access Trojan), and the final payload is written in GO, HTML and JavaScript. At the time of writing, Chaos can perform the following functions on Windows or Linux machines:

  • Open a reverse shell
  • Download/upload files and additional payloads
  • Delete files on the target device
  • Take screenshots
  • Access File Explorer
  • Collect operating system and device information
  • Restart or shutdown the PC
  • Open URLs remotely
Chaos RAT is enhancing cryptojacking attacks
The official Chaos Github repository

It’s important to note that Chaos itself isn’t harmful and is meant as a remote access utility — like TeamViewer or AnyDesk. That said, the threat actors have adapted the project to their own requirements.

The RAT works in multiple phases and ensures that competing cryptojackers or any programs that might be using the resources used for crypto mining are closed before execution. Additionally, post-deployment, it achieves persistence by adding an entry into the crontab file that downloads itself every 10 minutes from a PasteBin URL. 

Once persistence is achieved, the malware downloads an XMRig miner, a corresponding configuration file, a shell script that kills competing processes, and the Chaos RAT itself. 

The main downloader script and any additional payloads are hosted in different locations to avoid detection and keep the campaign actively spreading. The main server, which is also used for downloading payloads, seems to be located in Russia.

Chaos RAT is enhancing cryptojacking attacks
Strings inside the malicious Binary file that link the malware to Chaos. | Source: Trend Micro.

Historical WhoIs data reports that it was previously being used for cloud bulletproof hosting. As for the Command and Control (C2) server, it’s likely located in Hong Kong. This location was determined by the researchers using IP geolocation.

The Chaos RAT client connects to the C2 server via its address and default port, using a JSON Web Token (JWT) for authorisation. This ensures that security researchers, competing hacking groups or any other third party cannot access the C2 server. 

The researchers haven’t been able to pinpoint a single threat actor responsible for developing the RAT or operating it at the moment. However, the discovery proves that cryptojacking and remote access campaigns are still actively being developed by multiple threat actors around the world. 

In the News: India has over 800 million broadband users: MeitY


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: