{"id":232406,"date":"2026-04-08T05:34:00","date_gmt":"2026-04-08T09:34:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/08\/chaos-malware-expands-from-routers-to-linux-cloud-servers\/"},"modified":"2026-04-08T06:00:24","modified_gmt":"2026-04-08T10:00:24","slug":"chaos-malware-expands-from-routers-to-linux-cloud-servers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/08\/chaos-malware-expands-from-routers-to-linux-cloud-servers\/","title":{"rendered":"Chaos malware expands from routers to Linux cloud servers"},"content":{"rendered":"<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/04\/08\/chaos-malware-cloud-misconfigured-servers\/\">Chaos malware expands from routers to Linux cloud servers<\/a><\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/04\/08\/chaos-malware-cloud-misconfigured-servers\/\">https:\/\/www.helpnetsecurity.com\/2026\/04\/08\/chaos-malware-cloud-misconfigured-servers\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-08 05:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.helpnetsecurity.com\">www.helpnetsecurity.com<\/a><\/p>\n<p>Chaos, Go-based malware first documented by Lumen\u2019s Black Lotus Labs, has historically targeted routers and edge devices. A new variant observed in March 2026 shows the malware operating against misconfigured Linux cloud servers, a category of infrastructure the botnet had not previously prioritized.<\/p>\n<p>Darktrace\u2019s malware research team documented the compromise through its CloudyPots program, a global honeypot network the company runs to capture attacker behavior across a range of services and cloud platforms. One honeypot in that network runs Apache Hadoop, an open-source distributed data processing framework, deliberately misconfigured to allow remote code execution. That misconfiguration gave attackers a foothold and gave researchers a documented look at the updated malware.<\/p>\n<h3>How the attack unfolded<\/h3>\n<p>The intrusion began with an HTTP request to the Hadoop deployment\u2019s resource manager endpoint. The request defined a new application and embedded a sequence of shell commands. Those commands pulled a Chaos agent binary from an attacker-controlled server, set permissions, executed the binary, then deleted it from disk. The deletion step limits forensic recovery after execution.<\/p>\n<\/p>\n<h6>\n<\/h6>\n<p class=\"text-center\">The initial infection being delivered to the unsecured endpoint (Source: Darktrace)<\/p>\n<p>The binary was served from pan[.]tenire[.]com, a domain previously linked to Operation Silk Lure, a separate campaign that distributed the ValleyRAT remote access trojan through malicious job application attachments. That campaign also contained extensive Chinese-language strings throughout its stages.<\/p>\n<h3>What changed in the malware<\/h3>\n<p>The new sample is a 64-bit ELF binary compiled for x86-64 Linux. This marks a departure from earlier Chaos variants, which targeted ARM, MIPS, and PowerPC architectures common in consumer routers. The internal namespace was restructured and several functions were rewritten or removed, including the SSH brute-forcing spreader and certain vulnerability exploitation&#8230;<\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/04\/08\/chaos-malware-cloud-misconfigured-servers\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chaos malware expands from routers to Linux cloud servers https:\/\/www.helpnetsecurity.com\/2026\/04\/08\/chaos-malware-cloud-misconfigured-servers\/ Publish Date: 2026-04-08 05:34:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":232407,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img.helpnetsecurity.com\/wp-content\/uploads\/2026\/04\/08112218\/chaos_malware-1500.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,32,27],"class_list":["post-232406","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232406"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=232406"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232406\/revisions"}],"predecessor-version":[{"id":232408,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/232406\/revisions\/232408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/232407"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=232406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=232406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=232406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}