Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A New ShadowV2 Botnet Malware: The Growing Concern for IoT Security



A new ShadowV2 botnet malware has been discovered, targeting a range of IoT devices and spreading rapidly across the globe. As researchers continue to analyze the threat, it is clear that this incident highlights the pressing need for improved IoT security measures to protect against future attacks.

  • The recent AWS outage revealed a new Mirai-based botnet malware called 'ShadowV2,' which has already shown itself to be formidable in spreading across various IoT devices.
  • The ShadowV2 attacks originated from IP address 198.199.72.27 and targeted diverse devices, including routers, NAS devices, and DVRs, causing global disruptions.
  • The malware identifies itself as "ShadowV2 Build v1.0.0 IoT version" and is similar to the Mirai LZRD variant, delivered through a downloader script that fetches it from a server.
  • ShadowV2 supports DDoS attacks on UDP, TCP, and HTTP protocols, with various flood types for each, and its command-and-control infrastructure triggers these attacks via commands sent to the bots.
  • The threat's monetization strategy is unknown, but it is likely that ShadowV2 will rent its firepower or extort targets for stopping attacks.
  • Fortinet shared IoCs to help identify this emerging threat and warned about the importance of keeping firmware updated on IoT devices to prevent such attacks.
  • IoT security is a growing concern due to increasing attacks targeting these devices, and it's essential to implement proper security protocols, update firmware regularly, and address vendor vulnerabilities.



    • The recent AWS outage may seem like a minor incident to some, but its potential consequences are far-reaching and sinister. For Fortinet's FortiGuard Labs researchers, the major outage served as a unique opportunity to observe a new Mirai-based botnet malware known as 'ShadowV2.' This nefarious threat has already shown itself to be formidable in its ability to spread across various IoT devices from prominent vendors such as D-Link, TP-Link, and others.

    The ShadowV2 attacks originated from the IP address 198.199.72.27 and targeted a diverse range of devices including routers, NAS devices, and DVRs across multiple sectors including government, technology, manufacturing, managed security service providers (MSSPs), telecommunications, and education. The impact was global, with attacks observed in North and South America, Europe, Africa, Asia, and Australia.

    According to Fortinet's detailed report, the malware identifies itself as "ShadowV2 Build v1.0.0 IoT version," and is similar to the Mirai LZRD variant. It is delivered to vulnerable devices through an initial access stage using a downloader script (binary.sh) that fetches it from a server at 81.88.18.108.

    The malware utilizes XOR-encoded configuration for filesystem paths, User-Agent strings, HTTP headers, and Mirai-style strings. In terms of functional capabilities, it supports distributed denial-of-service (DDoS) attacks on UDP, TCP, and HTTP protocols, with various flood types for each. The command-and-control (C2) infrastructure triggers these attacks via commands sent to the bots.

    Typically, DDoS botnets make money by renting their firepower to cybercriminals or by directly extorting targets, demanding payments for stopping the attacks. However, it is not yet known who is behind Shadow V2 and what their monetization strategy is.

    Fortinet shared indicators of compromise (IoCs) to help identify this emerging threat at the bottom of the report, while warning about the importance of keeping firmware updated on IoT devices.

    The growing concern for IoT security stems from the increasing number of attacks targeting these devices. The lack of proper security measures and frequent updates for older models have created a ripe environment for threats like ShadowV2 to flourish.

    IoT devices are ubiquitous in modern homes, businesses, and industries, making them an attractive target for malicious actors. The recent incidents highlight the need for more stringent security protocols and regular firmware updates to protect these devices from potential threats.

    In addition, it is crucial for vendors to address the vulnerability of their products by providing timely patches and security updates. Furthermore, consumers must be aware of the importance of updating their devices regularly to ensure they have the latest security measures in place.

    The emergence of ShadowV2 highlights the need for a comprehensive approach to IoT security, encompassing both hardware and software solutions. By strengthening the security posture of IoT devices, we can reduce the risk of attacks like ShadowV2 and safeguard against future threats.

    In conclusion, the recent AWS outage served as an opportunity for researchers to discover and analyze a new Mirai-based botnet malware known as 'ShadowV2.' This threat has already demonstrated its potential to spread across various IoT devices, causing significant disruptions globally. It is imperative that we take proactive measures to address this growing concern by prioritizing firmware updates, implementing robust security protocols, and fostering collaboration among vendors and consumers.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-New-ShadowV2-Botnet-Malware-The-Growing-Concern-for-IoT-Security-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/


    • Published: Wed Nov 26 16:30:06 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us