Key Take Aways
The first Linux version of ChaChi, a Golang based DNS tunneling backdoor, was recently observed on VirusTotal.
The malware is configured to use domains associated with ransomware actors known as PYSA, aka Menipoza Ransomware Gang.
PYSA’s ChaChi infrastructure appears to have been largely dormant for the past several weeks, mostly parked and apparently no longer operational.
We assess with moderate confidence this sample represents the PYSA actor expanding into targeting Linux …