Chaos Malware Variant Targets Misconfigured Linux Cloud Servers

Chaos Malware Variant Targets Misconfigured Linux Cloud Servers

First seen 8 Apr 2026, 11:03 UTC DarktraceFeeds2.FeedburnerScworld 83% similarity 70.5

Article Content

Browse articles
ThreatCluster

A new variant of Chaos malware, originally targeting routers, has been observed exploiting misconfigured Linux cloud servers. This development was documented by Darktrace's CloudyPots program, which captures attacker behavior in real-time. The malware, suspected to be of Chinese origin, utilizes SSH brute-forcing and known CVEs to gain access. The attack vector involves creating a new application on the Hadoop deployment, allowing remote code execution. The malware has evolved, with significant changes in its code structure compared to earlier versions. The domain pan.tenire[.]com, linked to previous campaigns, was also involved in this attack. This shift in targeting marks a significant expansion of Chaos malware's operational scope. The attack was first identified in March 2026, indicating a growing threat landscape for cloud infrastructure.

Key Points: • Chaos malware has expanded from routers to misconfigured Linux cloud servers. • The malware exploits SSH brute-forcing and known CVEs for access. • Darktrace's CloudyPots program documented the attack in March 2026.

ThreatCluster AI

Timeline

2026-03-01
First detection of new Chaos malware variant targeting Linux servers
2026-04-07
Darktrace publishes findings on Chaos malware's new tactics
2026-04-08
Second article published detailing Chaos malware's expansion

Community

Browse all →