Cybersecurity researchers have revealed details of a new botnet that allows customers to rent access to carry out denial-of-service (DDO) attacks introduced against targets of interest.
According to Darktrace, Shadowv2 Botnet will primarily target Docker containers misunderstood by Amazon Web Services (AWS) cloud servers, turn infected systems into attack nodes, and deploy GO-based malware that will be adopted for larger DDOS botnets. The cybersecurity company said on June 24, 2025, malware targeting honeypots was detected.
“At the heart of this campaign is a Python-based command-and-control (C2) framework hosted in GitHub’s Codes Space,” security researcher Nathaniel Bill said in a report shared with Hacker News.
“What sets this campaign apart is the refinement of the attack toolkit. Threat actors employ advanced methods such as HTTP/2 Rapid Reset, CloudFlare Attack Mode (UAM) bypass, and large-scale HTTP flooding, demonstrating their ability to combine targeted exporation and distributed services (DDO) technology.
This activity is worth noting because it incorporates a Python-based spreader module and primarily violates Docker Daemons running on AWS EC2. Meanwhile, Go-based remote access Trojan (RAT) uses the HTTP protocol to enable command execution and communication with operators. Shadowv2 is described by the author as an “advanced attack platform.”
Campaigns targeting exposed Docker instances are generally known to take advantage of access to drop custom images or leverage existing images from Docker Hub to deploy the required payload. However, Shadowv2 takes a slightly different approach by first generating a generic setup container from Ubuntu images and installing various tools inside it.
An image of the created container is then created and unfolded as a live container. Darktrace says that it is currently unclear why this method was chosen by the attacker, but Darktrace may be trying to avoid leaving forensic artifacts by running it directly on the victim’s machine.
The container paves the way for running GO-based ELF binaries that establish communication with the C2 server (“Shadow.Aurozacloud”)[.]xyz”) periodically send heartbeat messages to the operator and vote for the server’s endpoint for new commands.
It also incorporates the ability to perform a Sidestep/2 Rapid reset attack on traditional HTTP floods and Sidestep CloudFlare attack modes by using the CHROMEDP tool to resolve JavaScript challenges presented to the user and obtain the clearance cookies used in subsequent requests. That being said, given that these challenges are explicitly designed to block headless browser traffic, it is unlikely that bypass will work.
Further analysis of the C2 infrastructure revealed that the server was hosted behind CloudFlare, hiding its true origins. It also uses Fastapi and Pydantic to support the login panel and operator interface, indicating that the tool is being developed with the idea of providing the “DDOS-For-Hire” service.
API endpoints allow operators to add, update, or delete users, configure the types of attacks that users can perform, provide a list of endpoints that need to launch an attack, and exclude the list of sites from targeting.
“By leveraging containerization, extensive APIs and using a full user interface, this campaign demonstrates the ongoing development of cybercrime as a service,” Bill said. “The ability to provide modular functionality through GO-based rats and expose structured APIs for operator interactions underscores how sophisticated some threat actors are.”
This disclosure is because F5 Labs said it used Mozilla-related browser user agents to detect a web scanbotnet targeting systems exposed to the internet for known security flaws. So far, the botnet is said to have used 11,690 Mozilla user agent strings for its scan.
CloudFlare also brings to the point that, according to a post shared on X today, it autonomously blocked hypervolume measurement DDOS attacks that peaked at 22.2 terabits (TBPS) and 10.6 billion packets (BPP) (BPP), respectively. The largest DDOS attack ever recorded lasted only 40 seconds.
Earlier this month, the Web Infrastructure Company revealed it had mitigated a record volume distributed denial of service (DDOS) attack that peaked at 11.5 terabits per second (TBPS) and lasted only about 35 seconds.
Chinese security company Qianxin XLAB said in a technical report last week that a botnet known as Aisuru was in charge of the attack. It is a variant of Airashi, infecting nearly 300,000 devices, most of which are routers and security cameras. The botnets per company are managed by three individuals (Snow, Tom, and Forky) who take care of development, vulnerability integration and sales.
Recent iterations of malware include the modified RC4 algorithm to decipher source code strings, the steps to perform speed tests to find the lowest speed server, and the steps to determine the existence of network utilities such as TCPDump, Wireshark, and Wireshark, as well as the steps to determine the existence of virtualization frameworks such as VMWare, QEMU, Virtual, and KVM.
“Aisuru Botnet has launched an attack across multiple industries around the world,” Xlab noted. “Its main targets are located in regions such as China, the US, Germany, the UK, Hong Kong, and more. The new sample supports not only DDOS attacks but also proxy functions.
Source link
