Darktrace have identified a significant evolution in China-linked cyber operations, revealing that the Chaos malware has been adapted to target 64-bit Linux servers for the first time. In a blog post published on April , the company reported that earlier versions of Chaos primarily focused on routers and edge devices. The latest variant marks a shift toward more powerful infrastructure, potentially enabling attackers to establish deeper and more persistent footholds within enterprise environments.

The newly discovered Chaos sample introduces SOCKS5 proxy functionality, allowing compromised systems to be used for anonymized traffic routing. This enhancement expands the malware’s potential beyond its traditional use in distributed denial-of-service (DDoS) attacks and cryptomining, opening the door to broader malicious operations.

They noted that targeting 64-bit Linux servers represents a strategic upgrade, as these systems offer greater computing power and are often embedded in critical enterprise and cloud environments. This shift could enable attackers to scale operations, maintain persistence, and launch more sophisticated follow-on attacks. The findings are part of a broader investigation into China-nexus threat actors. According to Darktrace, these groups are employing two distinct but coordinated attack strategies.

The first is a rapid “smash-and-grab” approach, where attackers infiltrate systems and extract valuable intellectual property within a short timeframe often within 48 hours. This method has primarily targeted sectors such as manufacturing, telecommunications, and logistics. The second strategy is far more covert, involving long-term infiltration of critical systems. In these cases, attackers embed themselves within identity infrastructures and remain undetected for extended periods, sometimes exceeding 600 days. This approach is commonly observed in sectors like transportation, telecoms, and critical infrastructure.

Jason Soroko, Senior Fellow at Sectigo, explained that this dual approach reflects a calculated balance between immediate gains and long-term strategic positioning. While exposed systems are quickly exploited for data theft, deeper operational networks are quietly compromised for sustained access.

Ad Banner

Recent threat data highlights the growing concentration and methods of cyberattacks worldwide. A significant 88% of incidents targeted critical national infrastructure, underscoring the vulnerability of essential systems. The United States alone accounted for 22.5% of all targets the highest share by any country while over 55% of attacks were directed at major Western economies, including the U.S., Germany, Italy, Spain, and the UK. Notably, 63% of these intrusions originated from the exploitation of internet-facing systems, emphasizing the urgent need for stronger perimeter security and proactive vulnerability management. These findings underscore the growing importance of securing publicly exposed infrastructure, which has become the primary entry point for attackers.

The evolution of Chaos malware and the dual attack strategy signal a broader trend of increasingly sophisticated and coordinated cyber operations targeting high-value systems. By expanding into server environments and combining rapid exploitation with long-term persistence, threat actors are enhancing their ability to disrupt operations, steal sensitive data, and maintain strategic access to critical networks. Security experts warn that organizations must prioritize visibility, patch management, and protection of internet-facing assets to defend against these evolving threats, particularly as attackers continue to refine both speed and stealth in their operations.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com 



🔒 Login or Register to continue reading