Cybersecurity researchers have uncovered a new botnet service called ShadowV2, which customers can rent to launch distributed denial-of-service (DDoS) attacks. This advanced operation primarily targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers. Once a system is compromised, a Go-based malware is deployed to transform it into an attack node, joining a larger DDoS botnet. The malware was first detected by Darktrace, who identified it on its honeypots. The operation is orchestrated through a Python-based command-and-control (C2) framework hosted on GitHub Codespaces, showcasing the use of a readily available platform for malicious purposes.
What makes ShadowV2 particularly dangerous is its sophisticated attack methods. The threat actors behind it use a combination of advanced techniques, including HTTP/2 Rapid Reset and a bypass for Cloudflare’s Under Attack Mode (UAM). This demonstrates a high level of technical skill, allowing them to combine targeted exploitation with large-scale DDoS attacks. The campaign uses a Python-based spreader module to breach Docker daemons, particularly those on AWS EC2, while the Go-based Remote Access Trojan (RAT) handles command execution and communication with the operators via the HTTP protocol. The developers have marketed ShadowV2 as an “advanced attack platform,” highlighting its capabilities.
Instead of the typical approach of dropping a custom or existing image from Docker Hub, ShadowV2 uses a unique method to evade detection. It first spawns a generic setup container from an Ubuntu image, installs various tools within it, and then builds and deploys this new image as a live container. This slightly different approach may be an attempt by the attackers to avoid leaving forensic artifacts directly on the victim’s machine. The final container then executes a Go-based ELF binary, which communicates with the C2 server to send heartbeat messages and receive new commands, further solidifying its role in the botnet.
Further analysis of the C2 infrastructure reveals it’s hosted behind Cloudflare to mask its true location. The server, which uses FastAPI and Pydantic, includes a login panel and operator interface, confirming its purpose as a “DDoS-for-Hire” service. The API endpoints allow operators to manage users, configure attack types, specify attack origins, and even exclude certain sites from being targeted. This extensive API and user interface showcase the continued professionalization and “cybercrime-as-a-service” model. The modular, Go-based RAT and structured API highlight the sophisticated development practices of these threat actors.
The emergence of ShadowV2 coincides with other significant cybersecurity developments, including a web scanning botnet targeting vulnerable systems and recent record-breaking DDoS attacks. For instance, Cloudflare recently mitigated two of the largest DDoS attacks ever recorded, peaking at 22.2 terabits per second (Tbps) and 11.5 Tbps, respectively. These attacks were linked to the AISURU botnet, which has infected nearly 300,000 devices, primarily routers and security cameras. The AISURU botnet, managed by a team of three individuals, continues to evolve, adding features like a modified RC4 algorithm for decryption and checks for network utilities to evade detection.
Reference:
