Darktrace reported a new Chaos malware variant compromising misconfigured Linux cloud servers after observing an intrusion through its CloudyPots honeypot network. In the incident, attackers abused an exposed Apache Hadoop application-creation or resource-manager endpoint to achieve remote command execution, then downloaded a 64-bit Linux ELF payload from pan.tenire[.]com, changed its permissions, executed it, and removed it from disk. The activity marks an expansion for the Go-based malware family, which had previously been associated mainly with routers, edge devices, DDoS operations, cryptomining, SSH brute-forcing, and exploitation of known vulnerabilities.
The updated sample retained persistence and multi-protocol DDoS functionality while adding a SOCKS5 proxy capability that could relay attacker traffic and support internal network pivoting. Darktrace said some older spreading and exploitation features appear to have been removed, suggesting a shift toward proxy-enabled botnet operations rather than broader self-propagation. The malware used gmserver.osfc[.]org[.]cn to resolve command-and-control infrastructure and communicated over port 65111; researchers also noted Chinese-language strings, zh-CN locale indicators, and infrastructure overlap with a ValleyRAT campaign, although they said any attribution to a Chinese threat actor remains circumstantial.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Subsequent coverage said researchers observed Chinese-language strings, zh-CN locale indicators, and infrastructure overlap with a ValleyRAT distribution campaign, suggesting possible Chinese origin. The reporting emphasized that this attribution remained circumstantial.
Darktrace publicly reported the March 2026 intrusion and said the malware communicated via infrastructure resolved through gmserver.osfc[.]org[.]cn over port 65111. The company highlighted the broader risk of botnets shifting toward proxy services and cloud misconfiguration abuse.
Analysis of the March 2026 sample showed a substantially updated 64-bit Linux ELF variant of the Go-based Chaos malware. The sample retained persistence and DDoS functions, dropped some older spreading and exploitation features, and added a SOCKS5 proxy capability for traffic relaying and internal pivoting.
In March 2026, Darktrace's CloudyPots honeypot captured an intrusion in which attackers abused a misconfigured Apache Hadoop application/resource manager endpoint to execute shell commands on a Linux cloud server. The attacker downloaded a Chaos malware binary from pan.tenire[.]com, ran it, and deleted it from disk.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcethehackernews.com
Open sourcehelpnetsecurity.com
Open sourcedarktrace.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.