Ethical Hacking News
A new variant of the Mirai botnet called ShadowV2 has been detected targeting IoT devices across multiple countries during the late-October AWS outage. The malware uses various attack methods including UDP floods, TCP-based floods, and HTTP-level floods to launch DDoS attacks. Organizations are advised to review their security protocols, ensure timely firmware updates, and maintain robust monitoring capabilities to strengthen their cybersecurity posture.
The ShadowV2 botnet was discovered on November 28, 2025, targeting IoT devices across multiple countries and industries. The botnet primarily targets IoT devices using flaws in products from well-known manufacturers such as DDWRT, D-Link, and TP-Link. ShadowV2 is notable for its resemblance to the Mirai LZRD variant and implements various attack methods including UDP floods, TCP-based floods, and HTTP-level floods. The malware was active only during the AWS outage, suggesting it was a test run for future attacks. The incident highlights the need for timely firmware updates, robust security practices, and continuous monitoring of threat intelligence to strengthen overall situational awareness and ecosystem resilience.
On November 28, 2025, a new variant of the infamous Mirai botnet, dubbed ShadowV2, was observed by researchers at FortiGuard Labs during the late-October AWS (Amazon Web Services) outage. The botnet is designed to exploit vulnerabilities in Internet of Things (IoT) devices and briefly targeted these devices across multiple countries and industries.
According to a report published by Fortinet, ShadowV2 primarily targets IoT devices using flaws in products from well-known manufacturers such as DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375). The malware spreads through multiple IoT vulnerabilities, dropping a downloader script binary.sh from 81[.]88[.]18[.]108.
ShadowV2 is notable for its resemblance to the Mirai LZRD variant. It decodes its configuration using an XOR key of 0x22 and loads various paths, headers, and User-Agent strings before resolving its C2 (command-and-control) domain and connecting to the 81[.]88[.]18[.]108 server. Upon identification as ShadowV2 Build v1.0.0 for IoT, it initializes a range of UDP, TCP, and HTTP flood methods, waits for C2 commands, and launches DDoS attacks based on received parameters.
In its report, Fortinet notes that ShadowV2 supports two transport-layer protocols (UDP and TCP) and the HTTP application protocol, implementing various attack methods including UDP floods, several TCP-based floods, and HTTP-level floods. The malware maps these behaviors to internal function names such as UDP, UDP Plain, UDP Generic, UDP Custom, TCP, TCP SYN, TCP Generic, TCP ACK, TCP ACK STOMP, and HTTP.
Fortinet observes that ShadowV2 listens for commands from its C2 server and triggers DDoS attacks using the corresponding attack method ID and parameters. The malware's behavior underscores the ongoing threat posed by IoT devices, which are increasingly becoming a focal point for cyber attackers.
According to FortiGuard Labs researchers, the botnet was active only during the AWS outage, suggesting that it was likely a test run for future attacks. This incident highlights the need for timely firmware updates, robust security practices, and continuous monitoring of threat intelligence to strengthen overall situational awareness and ensure ecosystem resilience in the face of evolving cyber threats.
The discovery of ShadowV2 further emphasizes the importance of maintaining a proactive cybersecurity posture, particularly when it comes to IoT device management. As more devices become connected to the internet, they also become potential entry points for malicious actors seeking to disrupt networks or conduct targeted attacks.
In light of this incident, organizations are advised to review their existing security protocols and ensure that all connected devices receive regular firmware updates and patches. Furthermore, maintaining robust monitoring capabilities and conducting regular threat intelligence assessments can help identify vulnerabilities before they are exploited by cyber attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Mirai-Variant-ShadowV2-Targets-IoT-Devices-Amidst-AWS-Disruption-ehn.shtml
Published: Fri Nov 28 02:58:52 2025 by llama3.2 3B Q4_K_M
