Chaos RAT malware strikes Linux and Windows as hackers exploit its flaws

Chaos RAT is back and causing trouble on Linux and Windows systems. This open source remote access tool was once pitched as a legitimate way to manage computers remotely. Now, it is being used to spy on users, steal data, and possibly set the stage for ransomware. According to Acronis, attackers are now turning the tables and exploiting Chaos RAT itself.

Originally written in Go and designed for cross platform compatibility, Chaos RAT has evolved from a basic tool into a very dangerous piece of malware. It has been spotted in real world attacks including a recent sample disguised as a Linux network utility. Victims were likely tricked into downloading a fake troubleshooting tool containing the malware.

Once installed, Chaos RAT quietly collects system info, sends it to a command server, and waits for orders. These commands can range from file theft and screenshot capture to rebooting or shutting down the system. It even supports reverse shells and remote terminal access.

While Chaos RAT is often associated with Linux attacks, it fully supports Windows systems as well. The malware’s admin panel allows attackers to generate 64-bit payloads specifically for Windows, with options like hidden execution to suppress console output. This makes it easier for the malware to operate silently in the background without raising suspicion.

Several commands are exclusive to Windows, including the ability to lock the screen, sign out users, and perform shutdown or restart operations using built-in Windows tools. Combined with its cross-platform design, this functionality makes Chaos RAT a serious threat in environments running both Linux and Windows machines.

Acronis researchers found that the Chaos RAT admin panel includes two major flaws that flip the entire situation on its head. One flaw lets attackers run code on the server that is hosting the RAT. The other is a cross site scripting issue that lets attackers hijack the browser session of the person using the admin panel. Yes, hackers can take over the control panel of a hacking tool.

Security researcher Chebuya famously exploited these bugs by making the control panel play Rick Astley’s “Never Gonna Give You Up.” But as funny as that sounds, the flaws are serious. A determined attacker could easily gain full access to an operation using Chaos RAT.

This situation also highlights a growing problem in cybersecurity. Open source software is everywhere and can be used for good or bad. Because the code is public, it is easy for anyone to modify and repackage it. Chaos RAT is just one example of a growing trend of malware based on open source projects.

Even worse, these open tools are hard to trace. When everyone from amateur script kiddies to advanced government hackers use the same malware, it becomes nearly impossible to tell who is behind an attack.

Acronis is now detecting Chaos RAT under the name “Trojan.Linux.ChaosRAT.A.” The company recently expanded its EDR protection to cover Linux alongside Windows and macOS. Supported systems include CentOS 7 and Ubuntu 22.04. This means defenders now have more tools to detect and respond to this threat.

Chaos RAT proves that just because something is open source does not mean it is safe. When security flaws and malware overlap, even the hackers are not safe from getting hacked.