Chaos is a backdoor trojan that was originally part of the "sebd" rootkit active around 2013. It is used as a second-stage payload after the threat actor conducts initial reconnaissance of the system. The attacker downloads a file appended with .jpg to appear as a JPG file for a sense of legitimacy when, in fact, it is actually a .tar archive.

The archive contains the following:

  • Chaos - ELF executable
  • Client - ELF executable
  • initrunlevels - Shell script
  • install - Shell script

The Chaos executable is the actual backdoor installed on the victims' system that enables the reverse-shell while the Client executable connects to the installed backdoor. The install Shell script ensures the initrunlevels shell file is executed each time the system boots up. The initrunlevels script opens port 8338 and checks for certain files and, if they do not exist, copies inconspicuous files to certain paths. The script also copies the Client and Chaos executables onto the system as backups. Additionally, the threat actor installs and executes files that adds the system to an IRC botnet.

The Chaos backdoor uses raw sockets to create a reverse-shell with full network encryption and integrity checks. The current victim count is low but the majority of victims are located in the US. At the time of writing, according to VirusTotal, only one antivirus vendor detects the trojan.


  • February 2018: Hackers are launching SSH brute-force attacks on poorly secured Linux servers to deploy a backdoor dubbed Chaos backdoor. (Security Affairs)

Technical Details

  • GoSecure provides technical analysis of Chaos here.
Trojan VariantsNJCCICchaos