ACCORDING to Darktrace, Chaos malware is a Go-based threat that has historically targeted routers and spreads via SSH brute-forcing and known router CVEs, with its latest variant expanding to exploit misconfigurations in Linux cloud-server deployments. The researchers note that Chaos is evolving, now including a SOCKS proxy capability that allows the attacker to route traffic through the compromised server and pivot into internal networks.
Darktrace operates a global honeypot network called “CloudyPots” to observe adversary behaviour in real time, and in their March 2026‑aligned observations a Hadoop instance in the honeypots was misconfigured to allow remote code execution, enabling further Chaos activity. The analysis also highlights that the Chaos sample observed is a 64‑bit ELF binary with updated structure and persistence mechanisms, including systemd-based persistence and a keep-alive script.
First identified by Lumen’s Black Lotus Labs, Chaos is believed to be of Chinese origin based on Chinese-language indicators in the sample, and it may be an evolution of the Kaiji botnet. The post, dated 7 April 2026, emphasises patching cloud CVEs and hardening configurations to limit cloud exposure as these botnets broaden their reach.