The threat landscape has shifted again. Security researchers at Darktrace have identified a significant evolution in the "Chaos" malware ecosystem. Historically targeting edge routers and IoT devices, this Go-based botnet has pivoted its focus toward misconfigured cloud deployments. This variant introduces a SOCKS proxy module, allowing attackers to turn compromised cloud instances into traffic-relaying nodes. This is not just a nuisance; it is a fundamental shift in attack infrastructure (C2) strategy. For defenders, this means that a single misconfigured storage bucket or security group rule can now result in your infrastructure hosting malicious proxy traffic, aiding in criminal anonymization and lateral movement.
Technical Analysis
Affected Platforms:
- Linux-based Cloud Instances (AWS, Azure, GCP, Alibaba Cloud)
- The malware is cross-platform (compiled for x86, ARM, MIPS, etc.), but this specific campaign focuses on Linux cloud workloads.
The Vector:
- Misconfiguration: The primary infection vector relies on exposed services (e.g., open Redis, Hadoop, or Docker APIs) and weak authentication on cloud instances. Chaos scans for these open doors to gain initial access.
- SOCKS Proxy Implementation: The new variant integrates a SOCKS5 proxy functionality. Upon infection, the malware opens a high-numbered port, proxying traffic from the attacker's command and control (C2) server through the victim's cloud IP address.
Attack Chain:
- Reconnaissance: Scanner identifies exposed cloud services or weak SSH credentials.
- Exploitation: Bruteforce or vulnerability exploitation gains a shell.
- Execution: A compiled Go binary (often named
chaos,kaiten, or mimicking system processes likedbus-daemon) is downloaded to/tmp,/dev/shm, or/var/tmp. - C2 & Proxy: The binary connects to the C2 server and listens on a random high port for SOCKS proxy requests.
Exploitation Status:
- Active Exploitation: Darktrace confirms active targeting of cloud environments.
- CVE: There is no specific CVE for the malware itself; the entry point is operational security failure (misconfiguration).
Detection & Response
Given the active nature of this threat and its focus on Linux endpoints, the following detection logic is provided to hunt for Chaos botnet activity and the associated SOCKS proxy behavior.
Sigma Rules
---
title: Chaos Botnet - Linux Binary Execution from Temp Directories
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects execution of binaries from common temporary directories, a tactic heavily used by Chaos malware to evade persistence mechanisms and detection.
references:
- https://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains:
- '/tmp/'
- '/dev/shm/'
- '/var/tmp/'
filter_legit:
Image|contains:
- '/bin/'
- '/usr/bin/'
- '/sbin/'
condition: selection and not filter_legit
falsepositives:
- Legitimate developer tools installing packages to temp
level: high
---
title: Linux SOCKS Proxy - Non-Standard Process Listening on High Port
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects processes with names commonly associated with Chaos or Kaiten malware listening on non-standard high ports, indicative of SOCKS proxying activity.
references:
- https://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: linux
detection:
selection_img:
Image|endswith:
- 'chaos'
- 'kaiten'
- '.sh'
selection_port:
DestinationPort|range: 10000-65535
condition: all of selection_*
falsepositives:
- Legitimate custom applications using high ports
level: high
KQL (Microsoft Sentinel / Defender)
This hunt query identifies Linux processes creating network connections, specifically focusing on binaries executed from temporary directories opening high ports (classic Chaos SOCKS behavior).
DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceOSType == "Linux"
| where FolderPath has_any ("/tmp", "/dev/shm", "/var/tmp")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, SHA256
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort >= 1024
| project Timestamp, DeviceId, RemoteUrl, RemotePort, LocalPort
) on DeviceId, $left.Timestamp >= $right.Timestamp - 1m, $left.Timestamp <= $right.Timestamp + 1m
| summarize Count=count() by DeviceName, ProcessCommandLine, RemotePort, SHA256
| where Count > 5
| order by Count desc
Velociraptor VQL
This VQL artifact hunts for the specific characteristics of the Chaos variant: processes running from writeable temp directories and active network listeners that could be SOCKS proxies.
-- Hunt for Chaos Botnet Indicators
SELECT
Pid,
Name,
Exe,
Username,
Ctime,
CommandLine
FROM pslist()
WHERE Exe =~ '/tmp/'
OR Exe =~ '/dev/shm/'
OR Exe =~ '/var/tmp/'
-- Correlate with listening sockets (SOCKS Proxy detection)
SELECT
P.Pid,
P.Name,
P.Exe,
L.Address,
L.Port,
L.State
FROM pslist() AS P
LEFT JOIN listen_sockets() AS L ON P.Pid = L.Pid
WHERE L.Port >= 10000
AND (P.Name =~ 'chaos'
OR P.Name =~ 'kaiten'
OR P.Exe =~ '/tmp/')
Remediation Script (Bash)
Run this script on potentially compromised Linux cloud instances to identify and kill active Chaos processes and clean up the droppers.
#!/bin/bash
echo "[*] Starting Chaos Malware Remediation Script"
echo "[+] Hunting for suspicious processes in /tmp, /dev/shm, /var/tmp"
PIDS=$(pgrep -f "\-\-update\-server" || true)
if [ -n "$PIDS" ]; then
echo "[!] Found potential Chaos processes: $PIDS"
kill -9 $PIDS
echo "[+] Processes terminated."
else
echo "[-] No common Chaos processes found running."
fi
echo "[+] Scanning for known Chaos/Kaiten binary locations..."
find /tmp -type f -name "chaos" -exec rm -f {} \;
find /dev/shm -type f -name "chaos" -exec rm -f {} \;
find /var/tmp -type f -name "chaos" -exec rm -f {} \;
find /tmp -type f -name ".kaiten" -exec rm -f {} \;
find /dev/shm -type f -name ".kaiten" -exec rm -f {} \;
echo "[+] Checking for persistence in cron..."
crontab -l | grep -v "chaos" | grep -v "kaiten" | crontab -
echo "[+] Checking systemd services for suspicious entries..."
systemctl list-units --type=service --state=running | grep -E "chaos|kaiten"
echo "[*] Remediation complete. Please review SSH access logs and rotate credentials."
Remediation
- Isolate Compromised Instances: Immediately isolate affected instances from the network. Terminate the instance if it is not critical for business operations to ensure the malware is fully purged.
- Cloud Configuration Audit: Review Security Groups and Firewalls. Ensure that management ports (SSH/22, Redis/6379, Docker/2375) are not exposed to the internet (0.0.0.0/0). Use VPNs or Bastion hosts for access.
- Credential Rotation: Assume the attacker has exfiltrated credentials. Rotate all SSH keys, API keys, and database passwords stored on the compromised instance.
- Patch & Harden: Ensure the OS is up to date. Remove unnecessary services. Disable password-based authentication for SSH and enforce key-based authentication.
- Network Monitoring: Implement egress filtering to prevent instances from acting as proxies. Block traffic to non-standard high ports unless specifically required by the application.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.