The Chaos remote administrative tool (RAT) has been used to improve the efficiency of cryptocurrency mining attacks against Linux systems.

The findings from Trend Micro security researchers were detailed in an advisory published on Sunday.

“We’ve previously written about cryptojacking scenarios involving Linux machines and specific cloud computing instances being targeted by threat actors active in this space, such as TeamTNT,” the security experts wrote.

During their investigative efforts, Trend Micro said they found that the attacker tactics were similar, even if they involved different threat actors.

“The initial phase saw attackers trying to kill off competing malware, security products, and other cloud middleware. This was followed by routines for persistence and payload execution, which in most cases is a Monero (XMR) cryptocurrency miner,” reads the technical write-up.

For more sophisticated threats, Trend Micro said they have also observed capabilities that allowed infection on more devices.

“In November 2022, we intercepted a threat that had a slightly different routine and incorporated an advanced RAT named Chaos […] which is based on an open-source project.”

In the newly observed attacks, the main downloader script and further payloads were hosted in different locations to ensure that the campaign remained active and kept on spreading.

During this malicious campaign, the scripts spotted by Trend Micro showed that the main server, which…