Routers were supposed to be the problem. For years, the Chaos botnet built its footprint across consumer and enterprise networking hardware, grinding through ARM and MIPS devices the way most botnets do. Then March 2026 arrived and researchers watching a deliberately vulnerable Apache Hadoop server saw something different show up at the door.
Darktrace captured the new variant through CloudyPots, the company’s global honeypot network. One of those honeypots runs Hadoop with its resource manager endpoint intentionally left open to remote code execution. That specific misconfiguration, where the resource manager accepts unauthenticated application submissions from the internet, is a known risk that real organizations have left exposed in production environments. The honeypot exists precisely because attackers find it.
The intrusion followed a sequence that moved quickly. An HTTP request arrived at the resource manager, defined a new application, embedded shell commands, and pulled a Chaos binary from an external server. The binary ran. Then it deleted itself from disk. That last step is not accidental. Removing the file after execution leaves investigators with process artifacts and network logs rather than the binary itself, which complicates analysis significantly.
The sample is a 64-bit ELF binary built for x86-64 Linux, which is a different architecture entirely from the ARM and MIPS targets that defined earlier Chaos variants. The internal structure changed too, with several functions rewritten and others removed, including the SSH brute-forcing routines inherited from Kaiji, the botnet Chaos appears to have grown out of.
What remained is what matters operationally: persistence through systemd, a keep-alive script, and DDoS capability across HTTP, TLS, TCP, UDP, and WebSocket. What arrived new is a SOCKS5 proxy function. When the control server sends a StartProxy command, the malware starts listening on an attacker-specified port and routes traffic through the compromised machine. Attacks that originate from the attacker appear to come from the victim’s connection instead. Internal networks accessible from the compromised host become reachable too.
Nathaniel Bill at Darktrace noted that another botnet, Aisuru, had already started selling proxy access as a revenue stream. Chaos adding the same capability suggests operators across the botnet economy are treating proxy services as a parallel business alongside DDoS-for-hire, not a bonus feature.
The delivery infrastructure connected to a domain previously linked to ValleyRAT distribution, and Chinese-language strings run throughout the binary.
