Security Experts:

Connect with us

Hi, what are you looking for?



Kaiji Botnet Successor ‘Chaos’ Targeting Linux, Windows Systems

Black Lotus Labs, Lumen Technologies’ threat intelligence team, has issued a warning on Chaos, the new variant of the Kaiji distributed denial-of-service (DDoS) botnet, targeting enterprises and large organizations.

Black Lotus Labs, Lumen Technologies’ threat intelligence team, has issued a warning on Chaos, the new variant of the Kaiji distributed denial-of-service (DDoS) botnet, targeting enterprises and large organizations.

Believed to be of Chinese origin, the Golang-based Kaiji malware emerged in early 2020, targeting Linux systems and internet of things (IoT) devices via SSH brute force attacks. By mid-2020, the threat was also targeting Docker servers.

The same as Kaiji, the recently observed Chaos malware is written in Go and uses SSH brute force attacks to infect new devices. Additionally, it also targets known vulnerabilities and uses stolen SSH keys for infection.

The threat works on multiple architectures, including ARM, Intel (i386), MIPS and PowerPC, and can run on both Linux and Windows, Black Lotus Labs says.

Once it has infected a device, Chaos establishes persistence and connects to an embedded command and control (C&C) server. Next, it receives staging commands, such as to start propagation via known CVEs or SSH, or to begin IP spoofing.

On infected Windows systems, the malware first creates a mutex by binding to a UDP port that it shields from analysis. If the binding fails, the malware exits its process.

Black Lotus Labs also observed numerous additional commands being sent to bots after the initial set of staging instructions. These commands would lead to new propagation attempts, further compromise of the infected device, DDoS attacks, or crypto-mining.

Chaos can also establish a reverse shell, using an open source script designed to run on Linux-native bash shells, allowing the attackers to upload, download or modify files on the target device.

Black Lotus Labs notes that, from mid-June through mid-July, it has observed hundreds of unique IP addresses representing Chaos-infected devices, followed by an uptick in new staging C&C servers in August and September.

Most of the infections are in Europe, North and South America, and Asia-Pacific (but not Australia or New Zealand).

In September, the botnet was observed launching DDoS attacks against over 20 organizations’ domains or IPs. Targeted entities span across multiple industries, including entertainment, financial, gaming, media, and hosting. Furthermore, it was seen targeting DDoS-as-a-service providers and a crypto mining exchange.

“Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild,” Black Lotus Labs concludes.

Related: Powerful ‘Mantis’ DDoS Botnet Hits 1,000 Organizations in One Month

Related: ‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

Related: New ‘Enemybot’ DDoS Botnet Targets Routers, Web Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.