ShadowV2 Botnet Malware Targets IoT Devices in Test Run During AWS Outage

The newly uncovered ShadowV2 botnet is rapidly becoming one of the most notable Mirai-based threats observed this year. Researchers at Fortinet detected the malware during the October AWS outage, a global disruption that created the perfect moment for attackers to test large-scale scanning and exploitation without drawing attention. ShadowV2 appeared only during the outage and went silent immediately afterward, which strongly suggests that this was a controlled test of the botnet’s infrastructure rather than a full deployment.

The ShadowV2 botnet targets vulnerable IoT devices including home and enterprise routers, NAS appliances, DVR systems, and smart cameras. These devices often run outdated firmware, expose administrative services to the internet, and receive little maintenance from owners. This combination makes them ideal nodes for botnet operators who want to quietly build distributed attack infrastructure.

ShadowV2’s Purpose and Capabilities

The malware identifies itself as “ShadowV2 Build v1.0.0 IoT Version.” It shares noticeable similarities with the Mirai LZRD codebase, including encoded configuration values, modular attack functions, and lightweight binaries designed for low-storage embedded systems. Like Mirai, ShadowV2 converts compromised devices into remote attack nodes capable of performing distributed denial-of-service activity.

Attack traffic was traced to 198.199.72.27. Infections were recorded in North America, South America, Europe, Africa, Asia, and Australia. The botnet also targeted organizations across seven industries including telecommunications, education, government, manufacturing, technology, and regional ISP networks. The short active window and global reach are strong indicators that ShadowV2 is being developed as a scalable, next-generation botnet.

Security Flaws Used by ShadowV2

ShadowV2 spreads by exploiting at least eight known vulnerabilities affecting several major IoT vendors. These flaws allow remote command execution, authentication bypass, or unauthorized access. The known vulnerabilities include:

• DD-WRT CVE-2009-2765 – authentication bypass
• D-Link CVE-2020-25506 – remote command execution
• D-Link CVE-2022-37055 – stack-based buffer overflow
• D-Link CVE-2024-10914 – OS command injection confirmed to be exploited in the wild
• D-Link CVE-2024-10915 – command injection affecting unpatched end-of-life models
• DigiEver CVE-2023-52163 – credential handling flaw
• TBK CVE-2024-3721 – unauthorized remote access
• TP-Link CVE-2024-53375 – arbitrary command execution

The D-Link vulnerabilities are especially important because they affect NAS devices that have reached end-of-life. According to the official advisory published by D-Link, CVE-2024-10914 and CVE-2024-10915 are command injection flaws inside the account_mgr CGI script. These issues were originally reported by NetSecFish and allow attackers to execute shell commands through unsanitized input parameters. Since these devices are no longer supported, they will not receive firmware updates. D-Link states that users should retire and replace affected devices entirely.

How the ShadowV2 Botnet Infects Devices

ShadowV2 uses a multi-stage infection chain designed to run on resource-limited IoT systems. The first stage involves a downloader script named binary.sh delivered from 81.88.18.108. When this script executes, it retrieves the ShadowV2 binary from the same server and runs it on the device.

ShadowV2 uses XOR encoding to conceal internal configuration values such as:

• filesystem paths
• HTTP headers
• User-Agent strings
• commands associated with Mirai-style botnet activity

Once installed, the infected device connects to a command-and-control server and begins listening for instructions. The ShadowV2 botnet supports multiple DDoS attack methods over UDP, TCP, and HTTP. These attacks can overwhelm enterprise networks, hosting providers, or cloud services depending on the operator’s objective.

Global Infection Distribution

Despite its short testing period, ShadowV2 infections were detected worldwide. Regions affected include:

• the United States and Canada
• Brazil, Argentina, and Chile
• Germany, France, Italy, the Netherlands, and the United Kingdom
• South Africa, Morocco, and Kenya
• Japan, Taiwan, Hong Kong, and South Korea
• Australia and New Zealand

This widespread distribution is consistent with modern IoT botnets that rely on variety, bandwidth dispersion, and persistent global availability. IoT devices are particularly attractive because they stay online for years, often running outdated software with minimal user oversight.

Why ShadowV2 Is Concerning

The ShadowV2 botnet appears to be in the early stages of development, but its behavior suggests that it may evolve into a commercial DDoS-for-hire service or be used in targeted attacks. Mirai variants often follow this pattern. Operators quietly build capacity, verify exploit chains, and later rent the botnet to cybercriminal groups or use it to extort businesses.

Testing during the AWS outage was a strategic decision. Large internet outages create natural traffic irregularities that make malicious scanning and exploitation harder to differentiate from normal failure behavior. Botnet operators often choose these moments to test infrastructure because defenders are already dealing with service disruptions.

Risks for IoT Owners and Network Administrators

The ShadowV2 botnet highlights the ongoing security weaknesses across the IoT landscape. Many devices affected by the campaign are several years old, run unsupported firmware, or expose management interfaces to the internet. These conditions create a perfect entry point for modern botnets.

Compromised devices may be used for:

• DDoS attacks against networks and online services
• extortion campaigns that target businesses or critical infrastructure
• proxying malicious traffic to hide the attacker’s identity
• credential harvesting or lateral movement inside home or office networks
• infecting additional devices through automated scanning

Most owners never notice these compromises because the malware runs quietly in the background. Device performance typically remains unchanged, and there are no visible warnings.

How to Protect Against ShadowV2

Fortinet recommends immediate firmware updates for all supported devices affected by the ShadowV2 vulnerabilities. For end-of-life devices, replacement is the only reliable long-term solution. This is especially important for the D-Link NAS models that will never receive future patches.

Administrators and home users should:

• apply all available firmware updates
• retire devices that no longer receive security patches
• disable WAN-facing services such as remote administration or UPnP
• segment IoT devices onto dedicated networks
• use strong, unique passwords for all device interfaces
• monitor outbound traffic for abnormal or persistent connections

Fortinet’s full technical analysis includes indicators of compromise and detailed packet-level research. Users who suspect infection should review logs, block unexpected outbound connections, and consider performing a factory reset or device replacement.

For more updates on threats like ShadowV2, visit our cybersecurity section where we track botnets, emerging malware, and critical IoT vulnerabilities.