PYSA ransomware gang has started using a Golang-based Trojan RAT called ChaChi as part of a new campaign against educational organizations which is named after two key components of the RAT, Chashell and Chisel.

ChaChi’s code was altered to include obfuscation and persistence in late March or early April. In latest ChaChi variants with the added DNS tunnelling and Port-Forwarding and Proxy functionality. There have been few noteworthy changes after that point.

The latest PYSA campaign uses PowerShell scripts to uninstall/stop/disable antivirus and other essential services additional to installing ChaChi. PYSA ransomware operators can frustrate detection and prevention efforts by analysts and tools unfamiliar with the language using Golang.

Chachi demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide.

Researchers warned that organizations ignoring this threat do so at their own risk, especially in a year of one-after-another cyber security disasters.