Ethical Hacking News
A new botnet known as ShadowV2 has been discovered that exploits misconfigured AWS Docker containers to launch distributed denial-of-service (DDoS) attacks against targets of interest, and is believed to be linked to a "DDoS-for-Hire" service. The botnet's Go-based malware turns infected systems into attack nodes and co-opts them into the larger DDoS botnet, making it an advanced threat platform that combines distributed denial-of-service techniques with targeted exploitation.
Researchers discovered a new botnet called ShadowV2 exploiting misconfigured AWS Docker containers for DDoS attacks. The malware uses a Python-based C2 framework and incorporates advanced attack methods, including HTTP/2 Rapid Reset and Cloudflare UAM bypass. The attackers breach Docker daemons using a Python-based spreader module, allowing them to execute malicious payloads. The botnet is linked to a "DDoS-for-Hire" service, raising concerns about the commodification of cybercrime services. The attack peaked at 22.2 Tbps and 10.6 Bpps in a single 40-second attack, marking the largest ever recorded DDoS attack.
In a recent discovery, cybersecurity researchers have shed light on a new botnet known as ShadowV2 that has been exploiting misconfigured AWS Docker containers to launch sophisticated distributed denial-of-service (DDoS) attacks against targets of interest. The findings were made by Darktrace, a leading cybersecurity company that detected the malware targeting its honeypots on June 24, 2025.
At the center of this campaign is a Python-based command-and-control (C2) framework hosted on GitHub Codespaces, according to security researcher Nathaniel Bill. What sets this campaign apart is the sophistication of its attack toolkit. The threat actors employ advanced methods such as HTTP/2 Rapid Reset, a Cloudflare under attack mode (UAM) bypass, and large-scale HTTP floods, demonstrating a capability to combine distributed denial-of-service (DDoS) techniques with targeted exploitation.
The activity is notable for incorporating a Python-based spreader module to breach Docker daemons, mainly those running on AWS EC2. This allows the malware to gain access to the Docker containers and execute malicious payloads. The Go-based remote access trojan (RAT) enables command execution and communication with its operators using the HTTP protocol.
The attackers have taken an unconventional approach by first spawning a generic setup container from an Ubuntu image and installing various tools in it. An image of the created container is then built and deployed as a live container, which is not fully understood why the attackers chose this method. However, Darktrace believes that it might be an attempt to avoid leaving any forensic artifacts on the victim machine.
In recent months, similar campaigns have been observed targeting exposed Docker instances, leveraging access to either drop a custom image or leverage an existing image on Docker Hub to deploy the necessary payloads. ShadowV2, however, takes a distinct approach by exploiting misconfigured AWS Docker containers directly.
This sophisticated attack platform has significant implications for organizations that rely on cloud-based services, such as Amazon Web Services (AWS). The fact that the attackers are using a Python-based C2 framework hosted on GitHub Codespaces highlights the growing importance of open-source software in cybercrime campaigns. Furthermore, the use of HTTP/2 Rapid Reset and Cloudflare's Under Attack mode (UAM) bypass demonstrate the threat actors' ability to adapt and evolve their tactics.
The botnet is believed to be linked to a "DDoS-for-Hire" service, which allows customers to rent access to conduct DDoS attacks against targets of interest. This raises significant concerns about the growing commodification of cybercrime services, where attackers are now offering malicious tools and expertise for hire.
According to Cloudflare, they autonomously blocked hyper-volumetric DDoS attacks that peaked at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), respectively, in a single 40-second attack. This marks the largest ever recorded DDoS attack to date.
In addition, Chinese security firm QiAnXin XLab has disclosed that the botnet known as AISURU is responsible for this campaign. The researchers noted that the botnet has infected nearly 300,000 devices, mainly routers and security cameras, which are managed by three individuals – Snow, Tom, and Forky – who take care of development, vulnerability integration, and sales, respectively.
The increasing sophistication of cybercrime campaigns highlights the need for robust cybersecurity measures to protect against emerging threats. Organizations must prioritize the implementation of advanced threat detection systems, regular security audits, and employee education programs to stay ahead of these evolving threats.
In conclusion, the ShadowV2 botnet represents a significant advancement in DDoS attacks, showcasing the growing sophistication of cybercrime campaigns. As cloud-based services continue to play an increasingly important role in our digital lives, it is essential that organizations take proactive steps to protect themselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-ShadowV2-Botnet-A-Sophisticated-Threat-Platform-Exploiting-Misconfigured-AWS-Docker-Containers-for-DDoS-Attacks-ehn.shtml
https://thehackernews.com/2025/09/shadowv2-botnet-exploits-misconfigured.html
Published: Tue Sep 23 08:56:11 2025 by llama3.2 3B Q4_K_M
