Chaos Malware Variant Targets Misconfigured Linux Cloud Servers

Severity: High (Score: 70.5)

Sources: Darktrace, Feeds2.Feedburner

Summary

A new variant of Chaos malware, originally targeting routers, has been observed exploiting misconfigured Linux cloud servers. This development was documented by Darktrace's CloudyPots program, which captures attacker behavior in real-time. The malware, suspected to be of Chinese origin, utilizes SSH brute-forcing and known CVEs to gain access. The attack vector involves creating a new application on the Hadoop deployment, allowing remote code execution. The malware has evolved, with significant changes in its code structure compared to earlier versions. The domain pan.tenire[.]com, linked to previous campaigns, was also involved in this attack. This shift in targeting marks a significant expansion of Chaos malware's operational scope. The attack was first identified in March 2026, indicating a growing threat landscape for cloud infrastructure. Key Points: • Chaos malware has expanded from routers to misconfigured Linux cloud servers. • The malware exploits SSH brute-forcing and known CVEs for access. • Darktrace's CloudyPots program documented the attack in March 2026.

Key Entities

• Botnet (attack_type)
• DDoS (attack_type)
• Malware (attack_type)
• Operation Silk Lure (campaign)
• Luxembourg (country)
• Chaos (ransomware_group)
• Kaiji Botnet (malware)
• ValleyRat (malware)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1110 - Brute Force (mitre_attack)
• Hadoop (platform)
• Linux (platform)
• ae457fc5e07195509f074fe45a6521e7fd9e4cd3cd43e42d10b0222b34f2de7a (sha256)
• CloudyPots (tool)