Chaos Ransomware Evolves to Become Faster, Smarter and More Dangerous

Chaos ransomware has undergone a significant transformation in 2025, marking its first departure from .NET programming with the introduction of Chaos-C++, a sophisticated variant that combines destructive tactics with cryptocurrency theft capabilities.

This evolution represents a concerning shift toward more aggressive extortion methods that amplify both operational impact and financial risk for victims.

The latest variant masquerades as “System Optimizer v2.1,” a fake utility that displays bogus optimization messages while silently deploying its ransomware payload.

The downloader (SHA256: 2fb01284cb8496ce32e57d921070acd54c64cab5bb3e37fa5750ece54f88b2a4) creates a hidden log file at %TMP%sysopt.log and writes the payload to %TMP%svc[XXXX].tmp, using randomly generated characters, prioritizing stealth execution through the use of CREATE_NO_WINDOW flags.

Advanced Encryption and Destructive File Strategy

Chaos-C++ implements a sophisticated size-based file handling strategy that prioritizes speed and destruction over traditional encryption approaches.

Files under 50MB undergo full AES-256-CFB encryption using Windows CryptoAPI functions, with an XOR-based fallback encryption mechanism in place when the crypto functions are unavailable.

The ransomware targets over 40 file extensions while avoiding critical system directories to maintain operational stability.

The variant’s most concerning feature involves its treatment of larger files. Files between 50MB and 1.3GB are deliberately skipped and left untouched, while files exceeding 1.3GB have their content completely deleted rather than encrypted.

This destructive approach eliminates recovery possibilities for critical data, such as archives, databases, and backups, rendering it more akin to a wiper than traditional ransomware.

Clipboard Hijacking for Cryptocurrency Theft

Beyond encryption, Chaos-C++ introduces clipboard hijacking capabilities that automatically intercept and replace Bitcoin addresses copied to the system clipboard.

The malware validates addresses by checking their length (26-64 characters) and recognizing legitimate formats including P2PKH (prefix “1”), P2SH (prefix “3”), and Bech32 (prefix “bc1”) wallets.

When valid cryptocurrency addresses are detected, the ransomware replaces them with an attacker-controlled Bech32 Bitcoin wallet using Windows Clipboard API functions.

This dual-threat approach ensures victims unknowingly redirect payments to attackers even when attempting legitimate cryptocurrency transactions.

The ransomware maintains persistence through the SvcHost_Mutex_7z459ajrk mutex and creates %APPDATA%READ_IT.txt to prevent reinfection. Upon completion, it displays an “Encryption complete” message and deploys ransom notes, while continuing to monitor the clipboard.

Security researchers note that Chaos-C++’s evolution from previous .NET variants demonstrates the threat actors’ experimentation with balancing execution speed against damage scope, suggesting future variants may adopt increasingly wiper-like characteristics that prioritize destruction over recovery incentives.

IoCs

SHA256	Note
2fb01284cb8496ce32e57d921070acd54c64cab5bb3e37fa5750ece54f88b2a4	Chaos Downloader
19f5999948a4dcc9b5956e797d1194f9498b214479d2a6da8cb8d5a1c0ce3267	Chaos ransomware
f200ea7ccc5c9b0eaada74046551ed18a3a9d11c9e87999b25e6b8ee55857359	Chaos ransomware

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Chaos Ransomware Evolves to Become Faster, Smarter and More Dangerous appeared first on Cyber Security News.