Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Chaos Malware. Show all posts
malware
Aisuru botnet API Chaos Malware Cloud systems Docker malware

New Chaos Malware Variant Expands to Cloud Targets, Introduces Proxy Capability

 



A newly observed version of the Chaos malware is now targeting poorly secured cloud environments, indicating a defining shift in how this threat is being deployed and scaled.

According to analysis by Darktrace, the malware is increasingly exploiting misconfigured cloud systems, moving beyond its earlier focus on routers and edge devices. This change suggests that attackers are adapting to the growing reliance on cloud infrastructure, where configuration errors can expose critical services.

Chaos was first identified in September 2022 by Lumen Black Lotus Labs. At the time, it was described as a cross-platform threat capable of infecting both Windows and Linux machines. Its functionality included executing remote shell commands, deploying additional malicious modules, spreading across systems by brute-forcing SSH credentials, mining cryptocurrency, and launching distributed denial-of-service attacks using protocols such as HTTP, TLS, TCP, UDP, and WebSocket.

Researchers believe Chaos developed from an earlier DDoS-focused malware strain known as Kaiji, which specifically targeted exposed Docker instances. While the exact operators behind Chaos remain unidentified, the presence of Chinese-language elements in the code and the use of infrastructure linked to China suggest a possible connection to threat actors from that region.

Darktrace detected the latest variant within its honeypot network, specifically on a deliberately misconfigured Hadoop deployment that allowed remote code execution. The attack began with an HTTP request sent to the Hadoop service to initiate the creation of a new application.

That application contained a sequence of shell commands designed to download a Chaos binary from an attacker-controlled domain, identified as “pan.tenire[.]com.” The commands then modified the file’s permissions using “chmod 777,” allowing full access to all users, before executing the binary and deleting it from the system to reduce forensic evidence.

Notably, the same domain had previously been linked to a phishing operation conducted by the cybercrime group Silver Fox. That campaign, referred to as Operation Silk Lure by Seqrite Labs in October 2025, was used to distribute decoy documents and ValleyRAT malware, suggesting infrastructure reuse across campaigns.

The newly identified sample is a 64-bit ELF binary that has been reworked and updated. While it retains much of its original functionality, several features have been removed. In particular, capabilities for spreading via SSH and exploiting router vulnerabilities are no longer present.

In their place, the malware now incorporates a SOCKS proxy feature. This allows compromised systems to relay network traffic, effectively masking the origin of malicious activity and making detection and mitigation more difficult for defenders.

Darktrace also noted that components previously associated with Kaiji have been modified, indicating that the malware has likely been rewritten or significantly refactored rather than simply reused.

The addition of proxy functionality points to a broader monetization strategy. Beyond cryptocurrency mining and DDoS-for-hire operations, attackers may now leverage infected systems to provide anonymized traffic routing or other illicit services, reflecting increasing competition within cybercriminal ecosystems.

This shift aligns with a wider trend observed in other botnets, such as AISURU, where proxy services are becoming a central feature. As a result, the threat infrastructure is expanding beyond traditional service disruption to include more complex abuse scenarios.

Security experts emphasize that misconfigured cloud services, including platforms like Hadoop and Docker, remain a critical risk factor. Without proper access controls, attackers can exploit these systems to gain initial entry and deploy malware with minimal resistance.

The continued evolution of Chaos underlines how threat actors are persistently enhancing their tools to expand botnet capabilities. It also reinforces the need for continuous security monitoring, as changes in how APIs and services function may not always appear as direct vulnerabilities but can exponentially increase exposure.

Organizations are advised to regularly audit configurations, restrict unnecessary access, and monitor for unusual behavior to mitigate the risks posed by increasingly adaptive malware threats.

Read more »
User Privacy
Chaos Malware Data Breach Gaming Community Kaspersky Payloads Trojan Attacks User Privacy

Analysis of Cyberthreats Linked to Gaming Industry in 2022

 

In 2022, the global gaming industry will surpass $200 billion, with 3 billion players worldwide, predicts the analytical firm Newzoo. Such committed, solvent and eager-to-win viewers have become a bit of trivia for botnets, that always look for ways to deceive their victims. 

According to data gathered by Kaspersky between July 2021 and July 2022, dangerous files that propagated through the misuse of gaming brands were mostly related to Minecraft (25%), FIFA (11%), Roblox (9.5%), Far Cry (9.4%), and Call of Duty (9%).

In specific, the report reviewed the most widespread PC game–related threats and statics on miner breaches, attacks disguised as game frauds, and thefts. Also, it examined several most energetic malware groups, offering them detailed, in-depth features.

In aspects of annual dynamics, Kaspersky reveals seeing a decline in both the quantities of distribution (-30%) and the number of users (-36%) compared to 2020.

Further, in the first half of 2022, Kaspersky said those who witnessed a notable increase in the number of consumers threatened by schemes that can deceive secret info, with a 13% increase over the first half of 2021.

In the same period, hackers also amplified their attempts to expand Trojan–PSW: 77% of secret-stealing spyware infection cases have been linked to Trojan–PSW.

A few recent cases of concealing malware in software encouraged as game frauds, installers, keygens, and the games themself are the following:
  • Minecraft alt lists on videogames forums dropping Chaos ransomware
  • NPM packages masquerading as Roblox libraries conveying malware and password stealers
  • Microsoft Store copies of games with malware loaders
  • Valorant cheats elevated via YouTube falling info-stealing malware
The cause why hackers exploit game titles to entice people is mainly the massive targeted pool, as the exploited game titles capture the interest of tens of millions of players.

A few instances of fake in-game item stores that copied the originals are highlighted by Kaspersky. These stores conned gamers into paying for stuff they would never receive while also phishing their login information.

Some users find the cost of games itself to be prohibitive and turn to pirated versions instead. Other games are being developed in closed beta, which excludes many potential players and forces users to look for alternate access points. Hackers take advantage of these circumstances by selling fraudulent, pirated beta testing launchers.

In terms of threat variants, Kaspersky reported that little had changed since last year in the environment that impacts gamers, with downloaders (88.56%) topping the list of harmful and unwanted software that is disseminated using the names of well-known games. Trojans (2.9%), DangerousObject (0.86%), and Adware (4.19%) are the next three most prevalent threats.

Finally, many developers advise users to disable antivirus software before installing game-related mods, cheats, and tools because many of them are created by unofficial one-person projects and may trigger false positive security detections.

As a result, players may disregard AV alerts and run malicious programs that have been found on their systems. Downloaders dominate because they can pass internet security checks without incident while still retrieving riskier payloads later on when the user runs the program.

Kaspersky claims that information thieves, cryptocurrency miners, or both are frequently dumped onto the victim's PC. As always, only download free software from reputable websites and exercise caution when doing so.

Read more »
Security Tools
Antivirus Astro Locker Babuk Ransomware Chaos Malware Encryption malware Monero Security Tools

Users get Directly Infected by AstraLocker 2.0 via Word Files

Threat researchers claim that the developers of a ransomware strain named AstraLocker just published its second major version and that its operators conduct quick attacks that throw its payload directly from email attachments. This method is particularly unique because all the intermediary stages that identify email attacks normally serve to elude detection and reduce the likelihood of triggering alarms on email security tools.

ReversingLabs, a firm that has been monitoring AstraLocker operations, claims that the attackers don't appear to be concerned with reconnaissance, the analysis of valuable files, or lateral network movement. It is carrying out a ransomware operation known as "smash and grab." 

The aim of smash and grab is to maximize profit as quickly as possible. Malware developers operate under the presumption that victims or security software will rapidly discover the malware, hence it is preferable to move right along to the finish line. 

Smash-and-grab strategy 

An OLE object with the ransomware payload is concealed in a Microsoft Word document that is the lure utilized by the developers of AstraLocker 2.0. WordDocumentDOC.exe is the filename of the embedded program. 

The user must select "Run" in the warning window that displays after opening the document in order to run the payload, thus decreasing the threat actors' chances of success. 

Researchers point out that this approach is less sophisticated than the recent Follina vulnerability which requires no user involvement or even the use of macros improperly which requires some user interaction. 
 
Encryption set up

Despite its haste to encrypt, AstraLocker still manages to do certain basic ransomware actions: It attempts to disable security software, disables any active programs that can obstruct encryption, and steers clear of virtual computers, which might suggest that it is being used by lab researchers.

The virus sets up the system for encryption using the Curve25519 method after executing an anti-analysis check to make sure it isn't executing in a virtual machine and that no debuggers are set in other ongoing processes. 

Killing applications that might compromise the encryption, erasing volume shadow copies that would facilitate victim restoration, and disabling a number of backup and antivirus services are all part of the preparation procedure. Instead of encrypting its contents, the Recycle Bin is simply emptied.

AstraLocker origins 

AstraLocker is based on Babuk's stolen source code, a dangerous but flawed ransomware strain that left the market in September 2021, according to ReversingLabs' code analysis. Furthermore, the Chaos ransomware's developers are connected to one of the Monero wallet addresses stated in the ransom text.

Supposedly, this isn't the work of a clever actor, but rather someone who is determined to launch as many devastating attacks as possible, based on the tactics that support the most recent campaign.
Read more »
Wiper
Chaos Malware malware Ransomware Wiper

Chaos Malware: The Amalgam of Ransomware and Wiper

 

A new strain of malware called Chaos, which is still under active development has been discovered by the security experts. The malware was first spotted in June 2021 and has already gone through four different versions, the most recent of which was released on August 5. 

According to Trend Micro security researcher Monte de Jesus, this rapid growth indicates that the malware may soon be ready for use in real world attacks.

An attacker promoting Chaos malware initially claimed that the malware was a .NET variant of Ryuk ransomware, but the analysis of the malware uncovered that it’s more like a destructive trojan or wiper than traditional ransomware.

“Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom,” de Jesus explained. 

Modus operandi of Chaos Malware 

The first version of Chaos is exceedingly dangerous because of its worming functionality. The malware has the capability to spread to all removable drives on a compromised system. “This could permit the malware to jump onto removable drives and escape from air-gapped systems,” de Jesus said.

After the installation, this first version of Chaos looked for various file paths and extensions to infect, and then it dropped a ransom note which demanded payment of 0.147 BTC, that would be around $6,600.

Chaos 2.0 has the capability to erase volume shadow copies and the backup catalog to prevent recovery, along with disabling Windows recovery mode, but it still did not have the functionality to recover files

“However, version 2.0 still overwrote the files of its targets. Members of the forum where it was posted pointed out that victims wouldn’t pay the ransom if their files couldn’t be restored,” de Jesus added.

In version 3.0, it added encryption to the mix. It could now encrypt files under 1 MB using AES/RSA encryption and feature a decryptor-builder.

The latest version of Chaos was released on August 5, which expanded its encryption feature to files of 2 Mb in size. It also allows operators to append encrypted files with their private extensions. 

According to a recent mid-year report from SonicWall, ransomware has been growing with a rapid pace in 2021, with global attack volume increasing in the first half of the year compared to the same period the previous year. 

“In our view, the Chaos ransomware builder is still far from being a finished product since it lacks features that many modern ransomware families possess, such as the ability to collect data from victims that could be used for further blackmail if the ransom is not paid. In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” de Jesus concluded.
Read more »
Subscribe to: Posts (Atom)