Full Report
Cybersecurity researchers have flagged a new variant ofmalware called Chaosthat'scapable of hitting misconfigured cloud deployments, marking an expansion of the botnet's targeting infrastructure. "Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices," Darktrace said in a new report.
Analysis Summary
# Tool/Technique: Chaos (New Variant)
## Overview
Chaos is a Go-based, cross-platform botnet malware that has evolved from the Kaiji DDoS malware. While traditionally focused on routers and edge devices (IoT), new research indicates a strategic shift toward targeting misconfigured cloud deployments, such as Hadoop and Docker. The latest variant has refactored its core code to include proxying capabilities, suggesting a move toward "Proxy-as-a-Service" monetization.
## Technical Details
- **Type:** Malware Family (Botnet)
- **Platform:** Linux (ELF binaries), Windows, and various architectures (ARM, Intel, MIPS)
- **Capabilities:** DDoS attacks, Cryptomining, SOCKS Proxying, Remote Shell Commands, and File Management.
- **First Seen:** Original variant documented in September 2022; New variant identified in April 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application] (Targeting misconfigured Hadoop/Docker)
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- **[TA0005 - Defense Evasion]**
- [T1070.004 - Indicator Removal: File Deletion]
- **[TA0011 - Command and Control]**
- [T1090 - Proxy] (New SOCKS proxy feature)
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking] (Cryptomining)
- [T1498 - Network Denial of Service]
## Functionality
### Core Capabilities
- **DDoS Attacks:** Capable of launching multiple flood types, including HTTP, TLS, TCP, UDP, and WebSocket.
- **Remote Access:** Execution of remote shell commands and dropping additional malicious modules.
- **Persistence & Propagation:** Historically utilized SSH brute-forcing and router vulnerability exploitation (though some of these were removed in the newest variant to favor cloud targeting).
- **Resource Hijacking:** Integration of cryptocurrency miners to monetize infected host resources.
### Advanced Features
- **SOCKS Proxy:** A newly added feature allowing the compromised host to act as a pivot point for other traffic, hiding the attacker's origin.
- **Cloud-Specific Targeting:** Specialized modules or techniques for identifying and exploiting misconfigured cloud services (e.g., Hadoop YARN RM).
- **Self-Deletion:** The malware automatically removes the initial binary artifact after execution to minimize forensic footprints.
## Indicators of Compromise
- **File Hashes:**
- *Note: Specific MD5/SHA hashes for the April 2026 variant were not listed in the summary text, but the binary is identified as a 64-bit ELF.*
- **File Names:** Common Chaos agent names (often randomized or mimicking system services).
- **Network Indicators:**
- pan.tenire[.]com (C2 and download server)
- **Behavioral Indicators:**
- Deployment of `chmod 777` on suspicious binaries in `/tmp` or application directories.
- Unexpected HTTP requests to Hadoop/Docker APIs for application creation.
- High CPU usage (consistent with mining).
- Outbound traffic on non-standard ports associated with SOCKS proxying.
## Associated Threat Actors
- **Silver Fox:** Linked via shared infrastructure (the domain `pan.tenire[.]com` was used in "Operation Silk Lure" to deliver ValleyRAT).
- **Origin Profile:** Suspected Chinese-origin due to Chinese language characters in code and the use of China-based infrastructure.
## Detection Methods
- **Signature-based:** Monitoring for 64-bit ELF binaries with Chaos/Kaiji code signatures.
- **Behavioral:**
- Detecting abnormal API calls to cloud management interfaces (e.g., Hadoop YARN).
- Monitoring for the "chmod 777; ./binary; rm binary" execution pattern.
- **Network Scanning:** Identifying unauthorized SOCKS proxy traffic exiting the environment.
## Mitigation Strategies
- **Cloud Hardening:** Securely configure Hadoop, Docker, and Kubernetes APIs; ensure they are not exposed to the public internet without strict authentication.
- **Least Privilege:** Do not run cloud services with root/administrative privileges that allow for "chmod 777" operations.
- **Vulnerability Management:** Regularly patch edge devices and routers to prevent lateral movement.
- **Egress Filtering:** Restrict outbound traffic from cloud workloads to known-good destinations to disrupt C2 communication.
## Related Tools/Techniques
- **Kaiji:** The parent malware from which Chaos was derived.
- **ValleyRAT:** Distributed by the same infrastructure (Silver Fox).
- **AISURU:** Another botnet recently observed adding proxy features.
- **Socks5 Proxying:** Used for concealing threat actor activity.