Chaos malware expands from routers to Linux cloud servers

Chaos, Go-based malware first documented by Lumen’s Black Lotus Labs, has historically targeted routers and edge devices. A new variant observed in March 2026 shows the malware operating against misconfigured Linux cloud servers, a category of infrastructure the botnet had not previously prioritized. Darktrace’s malware research team documented the compromise through its CloudyPots program, a global honeypot network the company runs to capture attacker behavior across a range of services and cloud platforms. One honeypot …