{"id":543,"date":"2026-04-08T19:34:43","date_gmt":"2026-04-08T19:34:43","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=543"},"modified":"2026-04-08T19:34:43","modified_gmt":"2026-04-08T19:34:43","slug":"new-chaos-variant-targets-misconfigured-cloud-deployments-adds-socks-proxy","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=543","title":{"rendered":"New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 08, 2026<\/span><\/span>Cryptomining \/ Network Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have flagged a new variant\u00a0ofmalware\u00a0called Chaos<\/strong>that’scapable of\u00a0hitting misconfigured cloud deployments, marking an expansion of the botnet’s targeting infrastructure.<\/p>\n

\u00abChaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices,\u00bb\u00a0Darktrace said<\/a> in a new\u00a0report.<\/p>\n

Chaos\u00a0was first documented by Lumen Black Lotus Labs in September 2022, describing it as a cross-platform malware capable of targeting Windows and Linux environments to run remote shell commands, drop additional modules, propagate to other hosts by brute-forcing SSH keys, mine cryptocurrency, and launch distributed denial-of-service (DDoS) attacks via HTTP, TLS, TCP, UDP, and WebSocket.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The\u00a0malware is\u00a0assessed to be an evolution of another DDoS malware known\u00a0as Kaiji\u00a0that\u00a0has singled\u00a0out misconfigured Docker instances.It’s\u00a0currently not\u00a0known who is behind the operation, but the presence of\u00a0Chinese language characters and the use of China-based infrastructure\u00a0suggest\u00a0that the threat actor could be of Chinese\u00a0origin.<\/p>\n

Darktrace said it identified the new variant targeting its honeypot network last month, a deliberately misconfigured Hadoop instance that enables remote code execution on the service. In\u00a0the attack spotted by the cybersecurity company, the intrusion commenced with an HTTP request to the Hadoop deployment to create a new application.<\/p>\n

The application, for its part, embedded a sequence of shell commands to retrieve a Chaos agent binary from an attacker-controlled server (\u00abpan.tenire[.]com\u00bb), set permissions to allow all users to read, modify, or run it (\u00abchmod 777\u00bb), and then actually execute the binary and delete the artifact from disk to minimize the forensic\u00a0trail.<\/p>\n

An\u00a0interesting aspect of the attack is that the domain was previously put to\u00a0use\u00a0in connection\u00a0with an email phishing campaign carried out by the Chinese cybercrime group Silver Fox to deliver decoy documents and ValleyRAT\u00a0malware. The\u00a0campaign was\u00a0codenamed Operation Silk\u00a0Lure by Seqrite Labs in October\u00a02025.<\/p>\n

The\u00a064-bit ELF binary is a restructured and updated version of Chaos that reworks\u00a0several of\u00a0its\u00a0functions, while keeping most of its core feature set\u00a0intact. One\u00a0of the more significant changes, however, concerns the removal of functions that enabled it to spread via SSH and exploit router vulnerabilities.<\/p>\n

Taking\u00a0their place is a new SOCKS proxy feature that allows the compromised system\u00a0to be used for\u00a0ferrying traffic, thereby concealing the true origins of malicious activity and making it harder for defenders to detect and block the\u00a0attack.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abIn addition, several functions\u00a0that were previously\u00a0believed\u00a0to be\u00a0inherited from Kaiji have\u00a0also been\u00a0changed, suggesting that the threat actors have either rewritten the malware or refactored it extensively,\u00bb Darktrace\u00a0added.<\/p>\n

The\u00a0addition of the proxy feature is likely a sign that threat actors behind the malware\u00a0are lookingto further monetize the botnet beyond cryptocurrency mining\u00a0and DDoS-for-hire, and\u00a0keep up\u00a0with their competitors in the cybercrime market by offering a diverse slate of illicit\u00a0services.<\/p>\n

\u00abWhile Chaos is not a new malware, its continued evolution highlights the dedication of cybercriminals to expand their botnets and enhance the capabilities at their disposal,\u00bb Darktrace concluded. \u00abThe recent shift in botnets such\u00a0as AISURU and Chaos to include proxy services as core features demonstrates that denial-of-service is no longer the only risk these botnets pose to organizations and their security\u00a0teams.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 08, 2026Cryptomining \/ Network Security Cybersecurity researchers have flagged a new variant\u00a0ofmalware\u00a0called Chaosthat’scapable of\u00a0hitting misconfigured cloud deployments, marking an expansion of the botnet’s targeting infrastructure. \u00abChaos malware is…<\/p>\n","protected":false},"author":1,"featured_media":544,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[200,1128,329,1130,1129,354,1131,78,664],"class_list":["post-543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-adds","tag-chaos","tag-cloud","tag-deployments","tag-misconfigured","tag-proxy","tag-socks","tag-targets","tag-variant"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=543"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/544"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}