Chaos Botnet Variant Expands to Misconfigured Cloud Deployments, Adds SOCKS Proxy

Darktrace researchers identified a new Chaos malware variant that has expanded targeting from routers and edge devices to misconfigured cloud deployments, adding SOCKS proxy capability to facilitate persistent access and traffic tunneling.

The shift to cloud targets reflects botnets following workloads from on-prem edge hardware to cloud infrastructure. Cloud operators should audit for exposed services, enforce strong credential and key management policies, and monitor for unexpected outbound proxy or tunneling connections. Indicators from the Darktrace report should be added to threat intelligence feeds.