S0220: Chaos
Analyst context for executives and security teams
Chaos matters because it combines a common entry path—brute forcing SSH on Linux systems—with stealthier remote access behavior. For business leaders, the practical issue is not the malware name itself; it is whether internet-facing or poorly governed Linux administration paths could become an unmanaged foothold that provides a reverse shell and command-and-control access when triggered by specific network traffic.
Executive priority
Prioritize this as an operational resilience and access-control validation issue for Linux environments. Leaders should ask whether SSH exposure, password policy, account lockout, privileged Linux access, and remote administration monitoring are measurable and audit-ready. Because the ATT&CK object has no official detection guidance, confidence should come from local evidence: authentication logs, network visibility, endpoint telemetry, and incident response procedures for Linux hosts.
Technical view
Chaos is described as Linux malware that compromises systems through SSH brute force and provides a reverse shell triggered by unsolicited packets. Relationship context maps it to Unix Shell execution, Brute Force, Traffic Signaling, Multi-Stage Channels, and Symmetric Cryptography. SOC and IR teams should validate coverage across the full chain: repeated SSH authentication failures and successes, suspicious shell execution after login, unexpected inbound packet patterns or trigger-like traffic, outbound reverse-shell behavior, staged command-and-control activity, and encrypted C2-like traffic that does not match normal Linux server roles.
Likely telemetry
- Linux authentication logs for SSH failures, successful logins, source IPs, usernames, and timing patterns
- SSH service exposure and configuration data from asset or vulnerability management systems
- Process execution telemetry for Unix shells such as sh or bash, especially following remote logins
- Network flow, firewall, IDS/IPS, or packet metadata showing unsolicited inbound traffic and unusual outbound connections
- Endpoint telemetry showing new or unexpected services, persistence-like behavior, or remote shell activity on Linux hosts
Detection direction
- Correlate SSH brute-force patterns with subsequent successful logins and shell activity rather than alerting only on failed passwords.
- Tune for Linux server role: administrative jump hosts, automation accounts, and monitoring systems may create legitimate SSH noise that needs allowlisting and context.
- Hunt for reverse-shell indicators such as shell processes associated with unusual network connections, while avoiding assumptions that every shell is malicious on Linux.
- Review network detections for traffic signaling concepts: unsolicited packets or unusual sequences that precede new remote access behavior may be more important than a single packet event.
- Assess whether encrypted or staged C2 traffic would be visible in existing network flow, egress filtering, and endpoint telemetry; symmetric cryptography may reduce content-based inspection value.
Mitigation priorities
- Reduce SSH attack surface first: limit internet exposure, restrict administrative access paths, and require strong authentication controls where feasible.
- Strengthen identity controls for Linux administration, including password policy, account lockout or throttling, key management, and review of privileged accounts.
- Enforce least privilege and harden Linux hosts so a compromised account has limited ability to execute commands, persist, or stage tools.
- Improve egress control and monitoring so unexpected reverse connections from Linux servers are reviewed and constrained.
- Ensure incident response playbooks cover Linux SSH compromise, shell-based execution, network-triggered backdoors, and evidence preservation from authentication, process, and network logs.
Analyst notes and limits
The source object is a malware entry for Chaos, not a campaign report. The strongest decision value comes from the ATT&CK relationships: SSH brute force aligns with credential-access risk, Unix shell use drives endpoint detection needs, and traffic signaling plus staged/encrypted C2 drive network monitoring and egress-control questions.
The supplied ATT&CK object lists Linux as the platform and provides no official detection section, no tactics on the malware object itself, no aliases, and no attribution. This take does not assert active exploitation, victim exposure, or guaranteed detection. Local architecture, SSH exposure, telemetry quality, and Linux administration practices determine actual risk and coverage.
Chaos
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.CitationChaos Stolen Backdoor |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.CitationChaos Stolen Backdoor |
| Enterprise | T1110 | Brute Force | Chaos conducts brute force attacks against SSH services to gain initial access.CitationChaos Stolen Backdoor |
| Enterprise | T1205 | Traffic Signaling | Chaos provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.CitationChaos Stolen Backdoor |
| Enterprise | T1104 | Multi-Stage Channels | After initial compromise, Chaos will download a second stage to establish a more permanent presence on the affected system.CitationChaos Stolen Backdoor |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9fb6276eedda… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Chaos Stolen Backdoor
Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
Open source URL -
[2]
Chaos
(Citation: Chaos Stolen Backdoor)
-
[3]
mitre-attack S0220Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.