A retooled Chaos botnet variant is actively compromising misconfigured Hadoop deployments with exposed unauthenticated RCE endpoints (particularly YARN ResourceManager on port 8088), deploying SOCKS proxy modules to monetize compromised cloud infrastructure beyond prior cryptomining payloads; infrastructure overlaps with Silver Fox / ValleyRAT have been observed but attribution remains unconfirmed. The remediation path is configuration-based — no vendor patch exists for this malware — requiring Kerberos authentication enforcement on Hadoop services and network-level blocking of management ports. Immediate actions: block Hadoop management ports (8088, 8032, 50070, 14000) at cloud security groups, enable Kerberos authentication on YARN and HDFS, and query VPC flow logs for outbound SOCKS proxy traffic patterns from Hadoop host IPs.