After three years investigating dozens of Chinese-nexus intrusions, Darktrace's threat researchers found these actors aren't running one playbook - they're running two simultaneously.
A "smash and grab" model - rapid intrusions completing IP theft within 48 hours, hitting manufacturing, telecom, and logistics sectors that map closely to Chinese industrial policy.
Also, "low and slow" - attackers embedding into identity systems and remaining dormant for months or years inside transportation networks, telecoms, and critical infrastructure. Some security teams discovered they'd been hosting intruders for 600-plus days.
The research details how an existing malware - Chaos - has been adapted. to target 64-bit Linux servers. Chaos has previously only been able to target routers and edge devices.
The move toward 64-bit Linux server targeting is significant because it suggests Chaos may be expanding from lower-value edge devices into more capable server infrastructure, which could give attackers more useful footholds for proxying, persistence, and follow-on activity. i.e. bigger attacks.
To view the findings, click here.
