New Mirai-Like Botnet ‘ShadowV2’ Conducts Trial Run During AWS Outage
During AWS’s major outage in October, Fortinet specialists uncovered a new botnet, ShadowV2, built on Mirai-derived malware and targeting IoT devices worldwide. According to FortiGuard Labs, the campaign appeared to be a “trial run” ahead of potentially larger attacks, yet even this single-day episode was enough to demonstrate just how vulnerable internet-connected devices remain across sectors and continents.
ShadowV2 infects susceptible devices and turns them into “zombies” — a botnet under full operator control, ready for large-scale strikes, primarily massive DDoS floods. During the October AWS outage, the malware was active for only about twenty-four hours, but in that brief window it spread by exploiting a cluster of vulnerabilities across hardware from multiple vendors. Fortinet lists DD-WRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), and TP-Link (CVE-2024-53375) among the affected products.
One unresolved question is the full scale of the incident: Fortinet has not yet disclosed how many devices ShadowV2 managed to compromise, promising details at a later stage. It is known that in September the same cloud-based botnet was used against AWS EC2, then targeting cloud instances. In October, however, ShadowV2 shifted to IoT and struck multiple verticals at once — tech companies, retail and hospitality, manufacturing, MSSPs, government entities, telecom operators, and educational institutions. Twenty-eight countries were affected, from the United States, Canada, and Mexico to Russia, Kazakhstan, China, Japan, and states across Europe, the Middle East, Africa, and Australia.
Technically, the attack followed the familiar pattern of Mirai-style families, but with a few distinct traits. The attackers exploited known firmware weaknesses to deliver a loader script, binary.sh, onto vulnerable devices. That script then fetched ShadowV2’s core binaries — files prefixed with “shadow” — from 81[.]88[.]18[.]108. Fortinet notes its similarity to the LZRD variant: the malware initializes an XOR-encoded configuration, connects to a command-and-control server, and awaits instructions, including orders to launch DDoS assaults.
Upon execution, ShadowV2 displays the line “ShadowV2 Build v1.0.0 IoT version.” Fortinet observes that this marker suggests the malware may represent the first dedicated branch crafted specifically for IoT devices. The implication is that the observed campaign may have been nothing more than a rehearsal, testing infrastructure for more aggressive and sustained operations to come.
For now, ShadowV2 has been observed only during the October AWS outage, but the incident underscores a long-standing reality: billions of devices with outdated firmware and exposed services remain an ideal substrate for botnets. Fortinet has released indicators of compromise and urges administrators to update firmware, disable unnecessary services, and closely monitor anomalous or spam-like network traffic. As specialists note, the ShadowV2 episode once again demonstrates that IoT remains the weakest link in global cybersecurity.
Almost immediately after ShadowV2’s “trial run,” Microsoft reported another major assault — this time on Azure. According to the company, on October 24 its infrastructure withstood the “largest cloud DDoS attack in history,” a 15.72 Tbps deluge orchestrated by the Aisuru botnet. Azure’s defenses absorbed a storm of nearly 3.64 billion packets per second, and Microsoft maintains that customers experienced no disruption. Against that backdrop, the emergence of a new Mirai-like botnet, even in the form of a brief rehearsal, stands as a stark warning: next time, the strike may come harder — and not nearly as conveniently timed.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
