Skip to content

No Happy Days for US Schools Infected with ChaChi

Posted by: GuidePoint Security

< 1 min read

Security researchers have discovered a new Trojan written in the GoLang (Go) programming language shifting from its original target of government agencies to focus instead on US schools. The trojan, dubbed ChaChi, is also a key component in launching ransomware attacks. ChaChi was first discovered in 2020, attacking local French government entities. The latest version of ChaChi appears to be a more sophisticated variant that focuses on US-based educational organizations and schools.

The current malware includes improved obfuscation and can perform remote access trojan (RAT) activities, such as backdoor creation and data exfiltration, credential dumping, DNS tunneling, network enumeration, SOCKS proxy functionality, service creation, and lateral movement across networks.

The ChaChi name is derived from the use of two off-the-shelf tools known as Chasell (a reverse shell-over DNS provider) and Chisel (a port-forwarding system.)

Researchers believe the ChaChi malware is the work of a threat group known as PYSA/Mespinoza, known for using the extension PYSA which stands for “Protect Your System Amigo.”

Check out our other blog posts from this past week.

Categories: Blog Cybersecurity

GuidePoint Security

Countering The Threat Of Spear-Phishing
With Spear-Phishing, many organizations feel like their tools will help them stop the attacks. This is true at some levels, […]
Download

Related Articles

View All

  • Security Awareness & Education
Countering The Threat Of Spear-Phishing
Read More < 1 min read
  • Blog
Wormable Ransomware: Cybersecurity Week in Review—06/21/21
Posted by: GuidePoint Security
Read More 2 min read
  • GRIT Blog
Breaking Basta: Insights from Black Basta’s Leaked Ransomware Chats
Posted by: Jason Baker
Published 03/06/25, 01:07pm
Read More 13 min read