December 3, 2023

Researchers have detailed about a cross-platform malware dubbed Chaos, that has infected a wide range of Linux and Windows devices, including small office routers, FreeBSD boxes, and large enterprise servers.

Researchers found hundreds of unique IP addresses representing compromised Chaos devices. Staging servers used to infect new devices in recent months, growing from 39 in May to 93 in August. The number reached 111 at present.


Researchers observed interactions with these staging servers from both embedded Linux devices as well as enterprise servers, including one in Europe that was hosting an instance of GitLab. There are more than 100 unique samples in the wild.

Chaos Malware designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC in addition to both Windows and Linux operating systems. Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.

To name few, including CVE-2017-17215 and CVE-2022-30525 affecting firewalls sold by Huawei, and CVE-2022-1388, a vulnerability in load balancers, firewalls, and network inspection gear sold by F5. SSH infections using password brute-forcing and stolen keys also allow Chaos to spread from machine to machine inside an infected network.


Chaos also has various capabilities, including enumerating all devices connected to an infected network, running remote shells that allow attackers to execute commands, and loading additional modules. Combined with the ability to run on such a wide range of devices, to leverage for initial access, DDoS attacks and crypto mining.

Infected IP addresses indicate that Chaos infections are most heavily concentrated in Europe, with smaller hotspots in North and South America, and Asia Pacific.

To stay protected from Chaos infections, keep all routers, servers, and other devices fully updated and to use strong passwords and FIDO2-based MFA. most router malware can’t survive a reboot. Consider restarting your device every week or so. Those who use SSH should always use a cryptographic key for authentication.


This research was documented by researchers from black lotus lab

Indicators of Compromise

  • 3c908b576e0ddadb5c94122e8f11b6701201518fa99e6cc33f69f17168da6d88
  • 2b935b3c308727d46ddd00ea776caeb1137a2cc3b43b055667dfdea42f98170a
  • fecfa6e2e6d4224082e09da7b42878f9e6ab9966a6f7a4cd120603f0bd59e72a
  • ebe0f9855eb8f6bd980ed60c26e3a877dc1ace5d664e248bb0558996fe0bd06f
  • e0e3d23222d71bbebae6afd37dcc436f9f5c8e56dd6ece8c8d63c162826dd99c
  • db412892acc683df340211b28ca3545d550e0a1de4bf0a2565b2b83bb31e0357

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: