Back to Intelligence

Chaos Malware Variant: Cloud Misconfiguration Exploitation and SOCKS Proxy Defense

SA
Security Arsenal Team
April 8, 2026
7 min read

Introduction

A significant evolution in the Chaos malware ecosystem has been identified, marking a dangerous shift in targeting priorities. According to a new report by Darktrace, a new variant of this Go-based malware is actively targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices. This update introduces SOCKS proxy functionality, transforming infected cloud instances into pivot points for attackers and complicating attribution efforts.

For defenders, this is a critical escalation. The infection vector is no longer just vulnerable edge hardware; it is now the sprawling, often poorly monitored surface of cloud infrastructure. The addition of proxy capabilities means that a compromised Virtual Machine (VM) is no longer just a zombie in a botnet—it is a tunnel into your network. Immediate action is required to audit cloud exposure and detect the specific behaviors associated with this variant.

Technical Analysis

Affected Products & Platforms: While Chaos is a multi-platform botnet written in Go (Golang), this specific variant primarily targets Linux-based cloud VMs and containers across AWS, Azure, and GCP. The malware targets infrastructure exposed via misconfigurations rather than a specific software vulnerability (CVE), though it exploits the resulting exposure of services like SSH, Redis, or Docker daemons.

Attack Chain & Mechanism:

  1. Initial Access: The malware does not exploit a zero-day. It scans for and brute-forces or exploits services exposed to the public internet due to security group misconfigurations (e.g., SSH on port 22 open to 0.0.0.0/0, or database ports exposed).
  2. Execution: Upon gaining access, the threat actor deploys the Chaos binary, often named to blend in with system processes or hidden within temporary directories (/tmp, /dev/shm).
  3. Proxy Establishment (New Capability): The new variant spins up a SOCKS proxy server on the infected host. This allows the attacker to route traffic through the compromised cloud instance, masking their true origin IP and bypassing network security controls that block external threat IPs but trust internal cloud traffic.
  4. C2 & DDoS: The malware connects to Command and Control (C2) infrastructure to await instructions, typically for DDoS attacks or further proxy utilization.

Exploitation Status: Active exploitation has been confirmed in the wild by Darktrace. The targeting of cloud infrastructure indicates that automated reconnaissance is actively identifying weak cloud security postures.

Detection & Response

The following detection rules and hunts are designed to identify the behavioral fingerprints of the new Chaos variant, specifically focusing on the Linux cloud environment and the new SOCKS proxy capability.

YAML
---
title: Potential Chaos Linux Malware Execution from World-Writable Directory
id: 9e2c1d4f-8a3b-4c5d-9e6f-1a2b3c4d5e6f
status: experimental
description: Detects execution of Go binaries often associated with Chaos botnet from world-writable directories like /tmp or /dev/shm, a common tactic for cloud malware persistence.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_img:
    Image|endswith:
      - '/chaos'
      - '/systemd-network'
      - '/kworker'
  selection_path:
    Image|contains:
      - '/tmp/'
      - '/dev/shm/'
      - '/var/tmp/'
  selection_go:
    Image|contains: 'go-build'
  condition: 1 of selection_*
falsepositives:
  - Legitimate developer testing or build processes in /tmp
level: high
---
title: Linux Process Hosting SOCKS Proxy (Chaos Variant Behavior)
id: b4f3e2d1-5c6a-4b8f-9e1a-2b3c4d5e6f7a
status: experimental
description: Detects processes establishing listening sockets on high ports that exhibit behavior consistent with a SOCKS proxy, indicative of the new Chaos C2 capability.
references:
  - https://attack.mitre.org/techniques/T1090/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1090.004
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    EventType: 'listen'
    DestinationPort|range:
      - 1080
      - 10800-11000
    Image|contains:
      - '/tmp/'
      - '/dev/shm/'
  condition: selection
falsepositives:
  - Legitimate proxy servers (Squid, etc.) installed in /tmp (unlikely)
level: critical

KQL (Microsoft Sentinel / Defender)

This hunt query identifies Linux processes initiating network connections immediately after creation from suspicious directories, a strong indicator of malware beaconing or proxy activation.

KQL — Microsoft Sentinel / Defender
// Hunt for Linux processes creating network connections from suspicious directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath contains "/tmp/" or FolderPath contains "/dev/shm/" or FolderPath contains "/var/tmp/"
| extend ProcessName = tostring(split(FolderPath, "/")[-1])
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where ActionType == "ConnectionAccepted" or ActionType == "ConnectionInitiated"
    | summarize ConnCount=count(), RemoteIPs=make_set(RemoteIP) by DeviceId, InitiatingProcessFileName, InitiatingProcessId
) on $left.DeviceId == $right.DeviceId, $left.FileName == $right.InitiatingProcessFileName
| where ConnCount > 5
| project DeviceName, InitiatingProcessFileName, FolderPath, ConnCount, RemoteIPs, Timestamp

Velociraptor VQL

This artifact hunts for unsigned binaries running from hidden or temporary directories that have active network connections, a key signature of the Chaos botnet.

VQL — Velociraptor
-- Hunt for processes in /tmp or /dev/shm with active network connections
SELECT Pid, Name, Exe, Username, Cmdline,
       dict(NetworkConnections) as Conns
FROM pslist()
WHERE Exe =~ '/tmp/' OR Exe =~ '/dev/shm/'
  AND Conns

Remediation Script (Bash)

Use this script on potentially compromised Linux cloud instances to identify and neutralize common Chaos malware processes and artifacts.

Bash / Shell
#!/bin/bash
# Remediation script for Chaos Malware Variant
# Requires root privileges

echo "[*] Hunting for Chaos Malware Artifacts..."

# 1. Find processes running from /tmp or /dev/shm (excluding known safe shells)
echo "[*] Checking for processes executing from /tmp or /dev/shm..."
suspicious_pids=$(ps aux | awk -F' ' '{print $2}' | xargs -I {} readlink -f /proc/{}/exe 2>/dev/null | grep -E '(^/tmp/|^/dev/shm/)' | awk -F' ' '{print $1}')

if [ ! -z "$suspicious_pids" ]; then
  echo "[!] Found suspicious processes. Killing..."
  for pid in $(echo "$suspicious_pids" | cut -d'/' -f3); do
    kill -9 $pid 2>/dev/null
    echo "Killed PID: $pid"
  done
else
  echo "[+] No suspicious processes found in temp directories."
fi

# 2. Remove common Chaos binary artifacts
echo "[*] Removing known suspicious binaries..."
find /tmp /dev/shm /var/tmp -type f -name "chaos" -exec rm -f {} \;
find /tmp /dev/shm /var/tmp -type f -name "systemd-network" -exec rm -f {} \;
find /tmp /dev/shm /var/tmp -type f -name "kworker" -exec rm -f {} \;
find /tmp /dev/shm /var/tmp -type f -name "*.sh" -exec rm -f {} \;

# 3. Check for established SOCKS proxy connections (high port listeners)
echo "[*] Checking for non-standard listening sockets..."
netstat -tulpn | grep LISTEN | awk '{print $4, $7}' | grep -E ':(1080|9050|1080[0-9])'

echo "[*] Remediation complete. Please review Security Groups and IAM policies."

Remediation

To secure your environment against this variant of Chaos, immediate remediation steps must be taken:

  1. Audit Cloud Security Groups: Immediate review of Security Groups (AWS), Network Security Groups (Azure), and Firewall Rules (GCP). Block all inbound traffic on ports 22 (SSH), 23 (Telnet), 3389 (RDP), and database ports (3306, 5432, 6379) from the internet (0.0.0.0/0). Use Bastion Hosts or VPN access for management.
  2. Enforce Immutable Infrastructure: Ensure your cloud images are hardened. Do not allow persistent storage in /tmp or /dev/shm to execute binaries. Implement noexec flags on these file systems where possible.
  3. Network Segmentation: Isolate cloud workloads. Ensure that a compromised web server cannot communicate directly with the database layer or pivot to other subnets without strict firewall inspection.
  4. Credential Rotation: If misconfigurations allowed brute-force access, assume credentials are compromised. Rotate all SSH keys and API keys associated with the affected deployments.
  5. Implementation of Detection: Deploy the Sigma rules and KQL queries provided above into your SIEM to alert on real-time proxy creation and execution from temporary directories.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub End the code block

socthreat-intelmanaged-socchaos-malwarecloud-securitysocks-proxythreat-huntinglinux-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action