Skip to content
Malware family

Kaiji

Kaiji is a Linux-focused botnet malware family primarily used for distributed denial-of-service activity and, in some reporting, proxying malicious traffic.

Profile source: Mallory opens in a new tab

Kaiji

Family profile

Kaiji is a Linux-focused botnet malware family primarily used for distributed denial-of-service activity and, in some reporting, proxying malicious traffic. It targets Linux servers, IoT devices, and internet-exposed or misconfigured environments, including misconfigured Docker instances; it has also been observed delivered after exploitation of CVE-2025-55182 (React2Shell) and in campaigns exploiting vulnerable Apache2 web servers. Reported Kaiji capabilities include SYN, ACK, UDP, TCP, TLS, WebSocket, and raw-socket flood attacks, arbitrary shell command execution, encrypted or dynamic configuration handling, and in some variants embedded SOCKS5 and HTTP proxy functionality. Persistence and defense evasion are prominent: observed mechanisms include systemd services, SysV init scripts, cron/crontab entries, login/profile scripts, keep-alive scripts, replacement or modification of system utilities such as ls, ps, and netstat, process masquerading, bind-mount abuse to hide process artifacts, SELinux policy weakening, and hardware watchdog abuse to force reboots if the malware is terminated. Kaiji has also been reported deploying or embedding XMRig in some intrusions. The malware has been associated in reporting with Chinese-language artifacts or suspected Chinese-origin activity, though definitive attribution is not established. Multiple sources assess the Chaos botnet as an evolution of Kaiji based on code overlap and inherited routines. Notable infrastructure and indicators directly mentioned in the content include delivery via scripts such as wocaosinm.sh and download.sh, C2 or related domains su6s[.]su and else.su6s[.]su, download server 195.177.94.29:26154, C2 domain gmserver.osfc[.]org[.]cn in Chaos reporting tied to Kaiji lineage, attacker IP 45.12.1.19, and sample hashes including MD5 fd05b94c016fd2eb7e26c406fa2266d0 and SHA256 d0ef2f020082556884361914114429ed82611ef8de09d878431745ccd07c06d8.

Exploited software

Vulnerabilities linked to Kaiji

2 CVEs

MITRE ATT&CK

Kaiji in ATT&CK

23 distinct techniques

Reporting

Research mentioning Kaiji

Apr 9
Scworld

Chaos malware evolves to target cloud misconfigurations | brief | SC Media

Researchers believe it is an evolution of the Kaiji malware, which targeted misconfigured Docker instances.

Apr 8
The Hacker News

New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy

The malware is assessed to be an evolution of another DDoS malware known as Kaiji that has singled out misconfigured Docker instances.

Apr 8
Help Net Security

Chaos malware expands from routers to Linux cloud servers - Help Net Security

...certain vulnerability exploitation routines previously inherited from Kaiji, the botnet Chaos is believed to have evolved from.

Apr 7
Darktrace

New Chaos Malware Variant found Exploiting Misconfigurations in the Cloud

Based on code overlap, Chaos is likely an evolution of the Kaiji botnet.

Feb 25
Splunk Research

Detection: Linux Possible Append Cronjob Entry on Existing Cronjob File | Splunk Security Content

References https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

Jan 29
The Hacker News

ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

"Other payloads deployed as part of the attacks include botnets such as Kaiji..."

Jan 28
Thecyberexpress Com Vulnerabilities

React2Shell Vulnerability CVE-2025-55182 Actively Exploited

Further activity included the deployment of Kaiji (Ares build) via wocaosinm.sh . Kaiji supports SYN, ACK, and UDP flood attacks...

Jan 27
Cyber Security News

Attackers Exploiting React2Shell Vulnerability to Attack IT Sectors

...downloads architecture-specific ELF executables identified as the Kaiji botnet, which performs DDoS attacks and establishes persistence through systemd services, crontab tasks, and modified system utilities.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.