Chaos RAT Trojan Found in Arch User Repository
Arch Linux developers have identified three malicious packages in the Arch User Repository (AUR) that were used to install the Chaos Remote Access Trojan (RAT) on Linux systems.
Malicious Packages Discovered
The packages—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were uploaded by a user named danikpapas on July 16, 2025. They were removed two days later, after community members flagged them as suspicious.
“On July 16, a malicious package was uploaded to the AUR,” warned the AUR maintainers. “Two more malicious packages were uploaded by the same user a few hours later. These packages executed a script from a GitHub repository that was identified as a Remote Access Trojan (RAT).”
Unlike official Arch repositories, the AUR operates without a formal review process. This places responsibility on users to manually inspect package contents and installation scripts before building them.
How the Attack Worked
Though the packages have been removed, archived copies analyzed by Bleeping Computer revealed the mechanism of attack. Each PKGBUILD file contained a source entry labeled patches, which pointed to a GitHub repository:
arduinoCopyEdithttps://github.com/danikpapas/zenbrowser-patch[.]git
During the build process, this repository was cloned under the guise of applying updates. Instead of legitimate patches, the repository contained malicious scripts that were executed during installation. The GitHub repository has since been deleted, making further analysis impossible.
Reddit-Based Malware Promotion
To spread the malware further, the attacker promoted the infected AUR packages on Reddit, replying to Arch Linux-related threads and recommending the packages. The posts were made using an inactive Reddit account—likely hijacked specifically for this campaign.
Community members grew suspicious, uploaded a component to VirusTotal, and quickly identified it as Chaos RAT.
What Is Chaos RAT?
Chaos RAT is an open-source remote access trojan compatible with both Windows and Linux. Once installed, it gives attackers the ability to:
- Upload and download files
- Execute arbitrary system commands
- Open reverse shells
- Gain full remote control over the infected device
Chaos RAT is often deployed in cryptojacking, credential theft, data exfiltration, and espionage operations.
In this incident, once installed, the malware connected to a command-and-control (C2) server at:
cssCopyEdit130.162[.]225[.]47:8080
and awaited further instructions.
Recommendations for Users
The Arch Linux team strongly advises users who may have installed any of the compromised packages to:
- Remove the packages immediately
- Scan for signs of compromise
- Search for and delete a suspicious file named
systemd-initdin the/tmpdirectory - Monitor system behavior for unusual activity
Users are also reminded to exercise caution when installing packages from the AUR. Always review installation scripts and validate the source before proceeding.
