A holistic analysis intoChina-nexus threat actorsby Darktrace researchers also found some very specific new threat information: the Chaos malware has been adapted to target 64-bit Linux servers.In anApril 2 blog post, the Darktrace researchers said this was the first documented example of Chaos targeting 64-bit Linux servers. Up until now, Chaos has only been able to target routers and edge devices.The sample of Chaos malware the Darktrace researchers discovered also includes SOCKS5 proxy capability, a new feature that potentially expands uses beyondDDoSand cryptomining.“The move toward 64-bit Linux server targeting is significant because it suggests Chaos may be expanding from lower-value edge devices into more capable server infrastructure, which could give attackers more useful footholds for proxying, persistence, and follow-on activity, in other words, bigger attacks,” wrote the researchers.Jason Soroko, a senior fellow at Sectigo, explained that this technical maturation aligns perfectly with the dual operational strategy outlined by the Darktrace researchers in the recent blog.After three years investigating dozens of Chinese-nexus intrusions, Darktrace’s threat researchers found that these actors aren’t running one playbook: they’re running two simultaneously.The first is a “smash and grab” model: rapid intrusions completing intellectual property (IP) theft within 48 hours, hitting manufacturing, telecom, and logistics sectors that map closely toChinese industrial policy.The second is “low and slow” — attackers embedding into identity systems and remaining dormant for months or years inside transportation networks, telecoms, and critical infrastructure: some security teams told Darktrace they’d been hosting intruders for 600-plus days.“Advanced operators are simultaneously executing rapid exploitation campaigns alongside highly persistent dormant intrusions,” said Soroko. “The aggressive model prioritizes immediate IP theft completed within that initial 48-hour window.”Soroko added that in stark contrast, the dormant approach revolves around the attackers quietly embedding malicious access into identity systems across critical infrastructure and remaining hidden for hundreds of days. Soroko said this methodology demonstrates a calculated approach to risk and reward where internet facing systems are quickly plundered while core operational networks are meticulously cultivated for long-term strategic advantage.The Darktrace research also generated some interesting bullet points about these China-nexus attacks:
- 88% of cases involved critical national infrastructure.
- The U.S. accounts for 22.5% of observed targets — the single largest national share.
- More than 55% of all cases occurred across major Western economies: the U.S., Germany, Italy, Spain, and the UK.
- 63% of intrusions began with exploitation of internet-facing systems — a sign that publicly exposed digital infrastructure is now the primary entry point, with significant implications for how companies think about their external attack surface.
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
