Kaiji
Kaiji is a Linux-focused botnet malware family primarily used for distributed denial-of-service activity and, in some reporting, proxying malicious traffic.
Profile source: Mallory opens in a new tabKaiji
Family profile
Kaiji is a Linux-focused botnet malware family primarily used for distributed denial-of-service activity and, in some reporting, proxying malicious traffic. It targets Linux servers, IoT devices, and internet-exposed or misconfigured environments, including misconfigured Docker instances; it has also been observed delivered after exploitation of CVE-2025-55182 (React2Shell) and in campaigns exploiting vulnerable Apache2 web servers. Reported Kaiji capabilities include SYN, ACK, UDP, TCP, TLS, WebSocket, and raw-socket flood attacks, arbitrary shell command execution, encrypted or dynamic configuration handling, and in some variants embedded SOCKS5 and HTTP proxy functionality. Persistence and defense evasion are prominent: observed mechanisms include systemd services, SysV init scripts, cron/crontab entries, login/profile scripts, keep-alive scripts, replacement or modification of system utilities such as ls, ps, and netstat, process masquerading, bind-mount abuse to hide process artifacts, SELinux policy weakening, and hardware watchdog abuse to force reboots if the malware is terminated. Kaiji has also been reported deploying or embedding XMRig in some intrusions. The malware has been associated in reporting with Chinese-language artifacts or suspected Chinese-origin activity, though definitive attribution is not established. Multiple sources assess the Chaos botnet as an evolution of Kaiji based on code overlap and inherited routines. Notable infrastructure and indicators directly mentioned in the content include delivery via scripts such as wocaosinm.sh and download.sh, C2 or related domains su6s[.]su and else.su6s[.]su, download server 195.177.94.29:26154, C2 domain gmserver.osfc[.]org[.]cn in Chaos reporting tied to Kaiji lineage, attacker IP 45.12.1.19, and sample hashes including MD5 fd05b94c016fd2eb7e26c406fa2266d0 and SHA256 d0ef2f020082556884361914114429ed82611ef8de09d878431745ccd07c06d8.
Exploited software
Vulnerabilities linked to Kaiji
2 CVEsMITRE ATT&CK
Kaiji in ATT&CK
23 distinct techniquesReporting
Research mentioning Kaiji
Chaos malware evolves to target cloud misconfigurations | brief | SC Media
Researchers believe it is an evolution of the Kaiji malware, which targeted misconfigured Docker instances.
New Chaos Variant Targets Misconfigured Cloud Deployments, Adds SOCKS Proxy
The malware is assessed to be an evolution of another DDoS malware known as Kaiji that has singled out misconfigured Docker instances.
Chaos malware expands from routers to Linux cloud servers - Help Net Security
...certain vulnerability exploitation routines previously inherited from Kaiji, the botnet Chaos is believed to have evolved from.
New Chaos Malware Variant found Exploiting Misconfigurations in the Cloud
Based on code overlap, Chaos is likely an evolution of the Kaiji botnet.
Detection: Linux Possible Append Cronjob Entry on Existing Cronjob File | Splunk Security Content
References https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories
"Other payloads deployed as part of the attacks include botnets such as Kaiji..."
React2Shell Vulnerability CVE-2025-55182 Actively Exploited
Further activity included the deployment of Kaiji (Ares build) via wocaosinm.sh . Kaiji supports SYN, ACK, and UDP flood attacks...
Attackers Exploiting React2Shell Vulnerability to Attack IT Sectors
...downloads architecture-specific ELF executables identified as the Kaiji botnet, which performs DDoS attacks and establishes persistence through systemd services, crontab tasks, and modified system utilities.