A new Mirai based botnet, ShadowV2, briefly targeted vulnerable Internet of Things (IoT) devices during the AWS outage in late October. Researchers at FortiGuard Labs observed the malware exploiting IoT vulnerabilities across numerous countries and industries, suggesting the activity was likely a test run for future, larger scale attacks.
Global Targeting During AWS Disruption
ShadowV2 was active only during the late October AWS disruption. It targets IoT devices by exploiting known vulnerabilities in products from various vendors, including DDWRT (CVE 2009 2765), D Link, DigiEver, TBK, and TP Link.
The botnet targeted devices across multiple countries worldwide, spanning Oceania (Australia), the Americas (Canada, US, Brazil), Europe (UK, France, Italy), Africa (Morocco, South Africa), and Asia (China, Japan, Russia). Victims were reported across several industries, including technology, retail, hospitality, government, and telecommunications.
Malware Operation and Capabilities
ShadowV2 spreads through multiple IoT vulnerabilities, dropping a downloader script named binary.sh. The malware resembles the Mirai LZRD variant, using XOR key 0x22 to decode its configuration and load paths, headers, and User Agent strings.
After resolving its Command and Control (C2) domain, ShadowV2 connects to 81[.]88[.]18[.]108 and identifies itself as "ShadowV2 Build v1.0.0 for IoT." It then initializes a wide range of flood methods and waits for C2 commands to launch Distributed Denial of Service (DDoS) attacks.
The malware supports three protocols: UDP, TCP, and HTTP. Implemented attack methods include UDP floods, several TCP based floods (like TCP SYN, TCP ACK STOMP), and HTTP level floods.
Fortinet concluded that the evolution of ShadowV2 suggests a strategic shift in threat actor focus toward IoT environments, underscoring that IoT devices remain a major security weak point. Maintaining timely firmware updates and continuous threat intelligence monitoring is critical for ecosystem resilience.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
