- A new variant of the Chaos malware is now targeting misconfigured cloud deployments, expanding its reach from routers and edge devices.
- The malware, an evolution of the Kaiji botnet, can mine cryptocurrency, launch DDoS attacks, and now includes a new SOCKS proxy feature to help hide attacker traffic.
- Cybersecurity firm Darktrace identified the attack, linking the command server domain to infrastructure previously used by the Chinese cybercrime group Silver Fox.
In April 2026, cybersecurity researchers from Darktrace discovered an evolved version of the Chaos malware actively exploiting misconfigurations in cloud deployments, according to a new report. First documented in 2022, this cross-platform malware can execute remote commands, propagate to other systems, and carry out crypto-mining and DDoS attacks.
Researchers assess the threat is an evolution of the Kaiji DDoS malware known for targeting Docker instances. Consequently, the malware’s operators remain unknown, though the use of Chinese infrastructure suggests a possible origin.
Darktrace observed the attack on a deliberately misconfigured Hadoop honeypot last month. The intrusion began with an HTTP request that embedded shell commands to download and execute the Chaos binary from an attacker-controlled server.
An interesting connection emerged, as the command domain was previously used by the Silver Fox group in Operation Silk Lure, a phishing campaign delivering ValleyRAT malware. This link provides context to the threat actor’s potential ecosystem and past activities.
The new variant is a restructured 64-bit ELF binary that removes functions for spreading via SSH. Meanwhile, it introduces a significant new SOCKS proxy capability, allowing compromised systems to relay malicious traffic and better conceal the attack’s source.
Darktrace noted the removal suggests the threat actors have extensively refactored the code. The addition of the proxy feature indicates a shift to monetize the botnet beyond crypto-mining and DDoS-for-hire services.
“While Chaos is not a new malware, its continued evolution highlights the dedication of cybercriminals to expand their botnets and enhance the capabilities at their disposal,” the report concluded. This trend, seen also in botnets like AISURU, shows DDoS is no longer the sole risk posed by such networks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
