Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

ShadowV2

ShadowV2 is a Mirai-based botnet and DDoS-for-hire malware family observed targeting both IoT devices and cloud-hosted systems. Reporting links it to two related activity clusters: (1) exploitation of vulnerable IoT devices such as routers, DVRs, NAS/NVR appliances, and similar embedded Linux systems; and (2) compromise of exposed or misconfigured Docker daemons on AWS EC2, where a Python-based spreader hosted via GitHub CodeSpaces deploys a Go-based ELF implant inside attacker-created containers. Darktrace described the cloud-focused variant as using a REST-style C2 at shadow.aurozacloud[.]xyz, with heartbeat and polling endpoints, and supporting high-volume HTTP floods, including HTTP/2 rapid reset, randomized query strings, spoofed forwarding headers, and a Cloudflare Under-Attack-Mode bypass using a bundled ChromeDP binary. Fortinet described the IoT-focused variant as a Mirai offshoot similar to LZRD, using XOR-decoded configuration data and identifying itself as "ShadowV2 Build v1.0.0 IoT version." It supports UDP, TCP, and HTTP flood attacks and receives commands from its C2 to launch DDoS activity.

High-confidence exploitation associated with ShadowV2 includes CVE-2009-2765 (DD-WRT), CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, and CVE-2024-10915 (D-Link), CVE-2023-52163 (Digiever/DigiEver), CVE-2024-3721 (TBK DVR), and CVE-2024-53375 (TP-Link). Additional reporting states ShadowV2 has been delivered in campaigns abusing Sierra Wireless AirLink ALEOS CVE-2018-4063 and other router/IoT weaknesses alongside botnets such as RondoDox and Redtail. Fortinet observed ShadowV2 activity during the late-October 2025 AWS outage and assessed it was likely a short-lived test run; the campaign reportedly affected targets in 28 countries and sectors including technology, retail and hospitality, manufacturing, managed security services, government, telecommunications, and education.

Notable indicators directly mentioned in the content include 81.88.18.108 as a delivery/C2 server for the IoT campaign, binary.sh as the downloader script, 198.199.72.27 as an observed attack origin, shadow.aurozacloud[.]xyz as cloud C2 infrastructure, 23.97.62[.]139 as an observed source in the Docker campaign, and the observed target chache08[.]werkecdn[.]me in Darktrace emulation. The malware has been characterized as an emerging DDoS-for-hire botnet, but attribution to a specific threat actor is not provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2024-3721OS Command Injection in TBK DVR-4104 and DVR-4216Exploited in the wild

In the past year, it was exploited to spread different bots, including a Mirai-based strain, the ShadowV2 botnet, and a newer botnet known as RondoDox. | FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium. Attackers exploit CVE-2024-3721, a command injection flaw, to compromise devices and turn them into bots for DDoS attacks.

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1498Network Denial of ServiceEvidence3

ShadowV2 Mirai Botnet Launched Coordinated IoT Test Attack During Global AWS Outage

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
security affairsNews
Apr 18, 2026
Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks

A botnet mentioned as one of the malware families spread via exploitation of the same TBK DVR flaw in real-world campaigns.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Go-based botnet that targets misconfigured AWS-hosted Docker containers to build DDoS-for-hire attack infrastructure.

Read more
the hacker newsNews
Dec 25, 2025
CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution

ShadowV2 is a botnet malware that, like Mirai, is used to compromise vulnerable devices and conscript them into a botnet for malicious purposes such as DDoS attacks.

Read more
the hacker newsNews
Dec 13, 2025
CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks

ShadowV2 is a botnet and cryptocurrency miner malware family delivered through exploitation of router vulnerabilities in OT environments.

Read more
+20 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.