Chaos ransomware evolves with a C++ variant that blends destructive encryption, clipboard hijacking, and speed-focused attack strategies
By Yen-Ting Lee | October 08, 2025
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Most files on the compromised machines are encrypted
Severity Level: High
In 2025, Chaos ransomware resurfaced with a C++ variant. We believe this marks the first time it was not written in .NET. Beyond encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft. This evolution underscores Chaos's shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims.
This blog provides a comprehensive technical analysis of Chaos-C++, covering its execution flow, encryption process, and clipboard hijacking mechanism. In addition, we will compare different behaviors between Chaos’s earlier variants.
Downloading and Execution
The Chaos-C++ ransomware downloader (SHA256: 2fb01284cb8496ce32e57d921070acd54c64cab5bb3e37fa5750ece54f88b2a4) masquerades as a fake utility, System Optimizer v2.1. It opens a console with bogus optimization messages to build credibility while silently deploying its ransomware payload in the background. (Chaos-C++_type3 - SHA256: 19f5999948a4dcc9b5956e797d1194f9498b214479d2a6da8cb8d5a1c0ce3267)
Figure 1: Chaos-C++ downloader – fake system optimizer
As part of its operation, it generates a hidden log file, sysopt.log, within the %TMP% directory to record details of the payload download and execution process. The payload itself is written to %TMP%\\\\svc[XXXX].tmp, where [XXXX] represents four randomly generated characters, and is combined with hardcoded strings embedded within the downloader.
To launch the payload, Chaos-C++ downloader initially attempts to invoke CreateProcessA() with the CREATE_NO_WINDOW (0x08000000) flag, ensuring execution without a visible window. If this approach fails, it falls back to executing the payload through a command line using cmd.exe /c start /b "%TMP%\\\\svc[XXXX].tmp", again prioritizing stealth and silent execution.
