A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet.

"Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through stealing and brute-forcing SSH private keys, as well as launch DDoS attacks," researchers from Lumen's Black Lotus Labs said in a write-up shared with The Hacker News.

A majority of the bots are located in Europe, specifically Italy, with other infections reported in China and the U.S., collectively representing "hundreds of unique IP addresses" over a one-month time period from mid-June through mid-July 2022.


Written in Chinese and leveraging China-based infrastructure for command-and-control, the botnet joins a long list of malware that are designed to establish persistence for extended periods and likely abuse the foothold for nefarious purposes, such as DDoS attacks and cryptocurrency mining.

If anything, the development also points to a dramatic uptick in threat actors shifting to programming languages like Go to evade detection and render reverse engineering difficult, not to mention targeting several platforms at once.

Chaos (not to be confused with the ransomware builder of the same name) lives up to its name by exploiting known security vulnerabilities to gain initial access, subsequently abusing it to conduct reconnaissance and initiate lateral movement across the compromised network.

What's more, the malware has versatility that similar malware does not, enabling it to operate across a wide range of instruction set architectures from ARM, Intel (i386), MIPS, and PowerPC, effectively allowing the threat actor to broaden the scope of its targets and swiftly accrue in volume.

On top of that, Chaos further has the ability to execute as many as 70 different commands sent from the C2 server, one of which is an instruction to trigger the exploitation of publicly-disclosed flaws (CVE-2017-17215 and CVE-2022-30525) defined in a file.

An analysis of around 100 samples discovered in the wild dates the earliest evidence of the botnet activity to April 2022. The malware has since been observed targeting not only enterprise servers and large organizations but also devices that are not regularly monitored, such as SOHO routers and FreeBSD OS.


Chaos is also believed to be an evolution of another Go-based DDoS malware named Kaiji that has previously targeted misconfigured Docker instances. The correlations, per Black Lotus Labs, stem from overlapping code and functions, counting that of a reverse shell module that makes it possible to run arbitrary commands on an infected device.

A GitLab server located in Europe was one among the victims of the Chaos botnet in the first weeks of September, the company said, adding it identified a string of DDoS attacks aimed at entities spanning gaming, financial services, and technology, media and entertainment, and hosting providers. Also targeted was a crypto mining exchange.

The findings come exactly three months after the cybersecurity company exposed a new remote access trojan dubbed ZuoRAT that has been singling out SOHO routers as part of a sophisticated campaign directed against North American and European networks.

"We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating," said Mark Dehus, director of threat intelligence for Lumen Black Lotus Labs. "Chaos poses a threat to a variety of consumer and enterprise devices and hosts."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.