Chaos Botnet Evolves: New Variant Hits Misconfigured Cloud Servers With SOCKS5 Proxy

A new variant of the Chaos botnet malware has expanded its targeting to include misconfigured Linux cloud servers, a shift from its earlier focus on routers and general-purpose hosts. First catalogued by Lumen Black Lotus Labs in 2022, Chaos is a cross-platform threat capable of SSH brute-forcing, cryptocurrency mining, DDoS attacks, and remote shell execution. The March 2026 variant adds a significant new capability: on receiving a StartProxy command from its C2 server, the malware opens an attacker-controlled TCP port and operates as a full SOCKS5 proxy.

The proxy functionality turns compromised cloud instances into anonymization nodes. Attackers can route credential-stuffing campaigns, reconnaissance traffic, and lateral movement through these hosts, inheriting whatever network trust relationships the victim server holds. That makes detection harder and blast radius wider, especially in cloud environments where internal traffic between services is often implicitly trusted.

Darktrace’s malware research team discovered the variant through CloudyPots, a global honeypot network designed to capture attacker behavior across cloud platforms. The specific trap was a deliberately misconfigured Apache Hadoop instance exposed to allow remote code execution - a configuration mistake common enough in real deployments to make this a credible and scalable attack vector.