06.04.2026
4 min
213
The Chaos malware has expanded its activity and now targets 64-bit Linux servers, indicating that attackers are moving to more valuable and powerful infrastructures.
Darktrace researchers collected data that appears to show how the use of “Chaos” is changing. No longer will “Chaos” simply be another simple method of attacking smaller targets. “Chaos,” in its new form, is transforming into something much more dangerous.
Firstly, the most significant thing is that the researchers have reported that they were able to record the first instance of “Chaos” being modified to run on 64-bit Linux servers. Prior to now, it generally operated at a lower level than servers, typically operating on either routers or peripherals. Those types of devices generally had fewer protections against attacks. Now, however, it seems that their focus has changed to the more critical resource distribution points.
The modification itself does not appear to be a mere technological upgrade. The version of “Chaos” that was discovered supported SOCKS5 proxy. As a result, an infected server could potentially be utilized as an intermediary platform for additional attacks (such as DDoS, or mining), as well as provide additional layers of complexity for future attacks requiring both anonymity and scalability.
Researchers explained why this particular adaptation is so important. With the addition of server support to “Chaos”, attackers now have greater access to larger-scale infrastructures. Larger-scale infrastructures mean more opportunity for combining multiple attacks together, as well as using them for a variety of attacks and creating multi-layered attacks. In short, it’s no longer merely about launching single events; rather, it’s about establishing long-term footholds.
Jason Soroko, who works for Sectigo, added that this development also matches up with one of the two major trends that analysts are currently tracking. According to Soroko, the trend he is referring to can be described as “aggressive” – i.e., what may be referred to as “enter, steal, leave.” Attackers quickly gain entry to the target network, then rapidly extract all relevant information (primarily intellectual property) before leaving the system. These types of attacks primarily occur in high-value sectors like manufacturing, telecommunications, and logistics — i.e., those sectors that represent direct commercial interest.
To better understand what this looks like in practice, we can reduce this to a simple comparison:
fast attacks give instant results, but short-term access
slow attacks are almost invisible, but open up long-term control
together they create a flexible model where attackers themselves choose what is more profitable in a particular situation
And it is the combination of these two approaches that makes the threat much more serious.
It is worth paying special attention to geography and scale. The study showed a fairly clear picture:
88% of attacks are aimed at critical infrastructure
the largest share of targets falls on the US, approximately 22.5%
more than half of the incidents occur in large Western economies
in 63% of cases, the initial point of entry was systems open to the Internet
These numbers speak for themselves. More often than not, it is not some complex internal systems that are attacked, but something that is already exposed to the outside world. Public infrastructure is actually becoming the main entrance for attackers.
As a result, the picture is quite clear. Chaos no longer looks like a tool for random attacks. It is gradually becoming part of more thoughtful and long-term operations. And the transition to 64-bit Linux servers only confirms this movement towards more serious goals.
