ShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named ShadowV2 was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (binary.sh) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions.
The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as CVE-2024-10914 and CVE-2024-10915, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Fortinet publishes ShadowV2 analysis and IOCs
Fortinet's FortiGuard Labs disclosed technical details on ShadowV2, including its Mirai/LZRD similarities, downloader-based delivery, and command-and-control behavior. The researchers also released indicators of compromise and urged organizations to update vulnerable IoT firmware and improve monitoring.
ShadowV2 exploits multiple IoT flaws across global targets
During the campaign, ShadowV2 infected internet-exposed IoT devices by exploiting at least eight known vulnerabilities in products from DD-WRT, D-Link, DigiEver, TBK, and TP-Link. The botnet affected targets across multiple sectors in 28 countries and supported UDP, TCP, and HTTP DDoS attacks.
ShadowV2 botnet launches during late-October AWS outage
Fortinet observed a new Mirai-based botnet, ShadowV2, become active only during the widespread AWS outage in late October 2025. The activity appeared to be a coordinated test run rather than directly caused by the cloud disruption.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ShadowV2 Mirai Botnet Launched Coordinated IoT Test Attack During Global AWS Outage
securityonline.info
Open sourceNew Mirai variant ShadowV2 tests IoT exploits amid AWS disruption
securityaffairs.com
Open sourceBotnet takes advantage of AWS outage to smack 28 countries
go.theregister.com
Open sourceNew ShadowV2 botnet malware used AWS outage as a test opportunity
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new **Mirai** campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances. The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (**DDoS**) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
May 25, 2026
Mirai Botnet Exploits CVE-2025-29635 in End-of-Life D-Link DIR-823X Routers
A Mirai-based malware campaign is actively exploiting **CVE-2025-29635**, a high-severity command-injection flaw in end-of-life **D-Link DIR-823X** routers, marking the first reported in-the-wild abuse of the vulnerability since its public disclosure and proof-of-concept release in 2025. Akamai said it began seeing attacks in early March 2026 through crafted `POST` requests to the `/goform/set_prohibiting` endpoint, where unsanitized input reaches `system()` and enables remote command execution on affected firmware versions **240126** and **240802**. The activity targets discontinued devices unlikely to receive vendor fixes, increasing exposure for organizations still running the routers. The attackers use the exploit to fetch and run a shell script that installs a Mirai variant dubbed **tuxnokill**, which retains common Mirai strings while using XOR obfuscation with key `0x30`. Akamai linked the same actor to similar Mirai deployment patterns against **TP-Link AX21** devices via **CVE-2023-1389** and against **ZTE ZXV10 H108L** routers through another remote code execution flaw, underscoring continued botnet weaponization of older, publicly documented vulnerabilities. Security advisories recommend replacing unsupported D-Link hardware, restricting exposed administrative interfaces, and rapidly remediating known router flaws before they are folded into botnet operations.
Apr 23, 2026
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026