⚠️ Overview

Chisel is a lightweight, Golang-based tunneling tool first publicly documented by the UK National Cyber Security Centre (NCSC) and U.S. CISA in a joint advisory on July 1, 2021, attributed to the Russian state-sponsored threat group APT29 (also tracked as Cozy Bear, The Dukes, and NOBELIUM). It is categorized as a custom covert proxy and data exfiltration utility rather than a traditional malware family such as ransomware or a botnet, operating as a modular component within larger intrusion campaigns.

🔧 Technical Capabilities

Chisel uses TCP/UDP tunnels to encapsulate arbitrary network protocols, allowing operators to bypass network segmentation and exfiltrate data over HTTP/HTTPS by chaining client-side socks5 proxies with server-side listeners. It employs a single binary that communicates over a TLS-encrypted channel with hardcoded or dynamically resolved command-and-control (C2) domains, often masquerading as legitimate traffic (e.g., Google Analytics API endpoints). Persistence is achieved by installing the binary as a Windows service or Linux daemon with names mimicking system processes (e.g., "svchost.exe" or "systemd-timesyncd"). Evasion techniques include in-memory execution via process injection into trusted processes (e.g., svchost.exe, w3wp.exe) and use of obfuscated configuration strings stored in registry keys or environment variables to avoid static file scanning. MITRE ATT&CK identifies Chisel under technique T1090 (Proxy) with sub-technique T1090.003 (Multi-hop Proxy) and T1572 (Protocol Tunneling).

📜 History & Notable Incidents

First observed in active operations by APT29 as early as late 2020, Chisel was used in the 2021 SolarWinds Orion supply chain compromise (though its role was limited to post-exploitation tunneling for victims already breached via SUNBURST). The NCSC/CISA joint advisory (July 2021) named Chisel as a key tool in APT29 campaigns targeting COVID-19 vaccine researchers, diplomatic entities, and think tanks in the US and UK. No CVEs are directly associated with Chisel itself, as it exploits no vulnerability—it is a legitimate tunneling tool repurposed for malicious use.

🔍 Detection Indicators

Indicators include the presence of files named "chisel.exe", "chisel-linux-amd64", or "chisel_windows_amd64.exe" in non-standard directories (e.g., %TEMP%, %APPDATA%); registry keys under HKCUSoftwareChisel or HKLMSOFTWAREChisel storing server addresses; and network connections to known C2 IPs such as 185.163.109.67 and domain "statcache[.]com" (as per CISA report). Behavioral signatures include abnormal outbound TLS connections to cloud or CDN IPs not associated with normal web traffic, and use of socks5 proxies from within the network.

☠️ Risk & Impact

The primary damage from Chisel is stealthy data exfiltration; it enables APT29 to tunnel stolen credentials, intellectual property, and diplomatic communications out of compromised networks without triggering typical DLP alerts. The UK NCSC warned that Chisel has been deployed against the healthcare and pharmaceutical sectors (specifically vaccine research), as well as government ministries and academic institutions. Financial losses are indirect but severe, including the cost of incident response, remediation, and reputational damage from high‑profile breaches.

🛡️ Mitigation

Mitigation strategies include blocking outbound connections to known C2 IPs and domains listed in CISA's advisory, implementing application whitelisting to prevent execution of unsigned binaries named "chisel*", and enabling advanced endpoint detection rules that flag process injection into svchost.exe or w3wp.exe. The NSA recommends using a VPN and proxy server with explicit allowlisting to disrupt tunneled connections, and deploying EDR solutions capable of detecting Chisel's specific TLS fingerprint patterns.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.