The New Frontier of Cybercrime: A Botnet That Operates Like a SaaS
Amid a surge in cybercriminal activity, Darktrace has uncovered a new campaign powered by the ShadowV2 botnet. Researchers first observed the malicious infrastructure on June 24, 2025, when their traps were triggered. At the heart of the scheme lies a Go-written trojan that converts compromised Amazon Web Services containers into full-fledged nodes for conducting DDoS attacks.
ShadowV2 exploits vulnerable Docker instances running on AWS EC2 virtual machines. The initial infection step deploys a helper container based on an Ubuntu image, into which the requisite tools are automatically installed. Thereafter, an additional container is created containing a compiled ELF executable that connects back to a command server at shadow.aurozacloud[.]xyz. The malware regularly issues heartbeat messages and receives commands from that server, including instructions to initiate attacks.
The botnet’s control plane is implemented with the Python FastAPI framework and Pydantic. Its web interface includes an authentication form and an operator console for adding and editing users, configuring attack parameters, and managing target lists and exclusions—all hallmarks of a turnkey DDoS-for-hire platform.
Distributed attacks orchestrated by ShadowV2 employ advanced techniques, including HTTP/2 Rapid Reset—which overwhelms servers by repeatedly tearing down connections at high speed—and methods intended to bypass Cloudflare’s “Under Attack” mode. The latter relies on ChromeDP to automate JavaScript challenges and harvest bypass cookies; however, its reliability is questionable, as many protections can detect headless browser behavior and block such probes.
ShadowV2 also incorporates a Python-based propagation module that compromises Docker daemons and then deploys the malicious container. This method minimizes forensic traces on infected hosts and complicates incident response.
What is particularly troubling is the architecture’s emphasis on extensibility and reuse: the management API not only configures attacks but also facilitates mass scaling of the infrastructure with full automation. ShadowV2 thus exemplifies a new generation of cybercrime in which malicious tooling increasingly mirrors legitimate SaaS products in convenience and scalability.
In parallel, F5 Labs reported a separate wave of activity: a botnet using browser-like user-agent headers—masquerading as Mozilla—has been sweeping the internet for known vulnerabilities, deploying more than 11,000 distinct User-Agent strings associated with Mozilla-based browsers.
Meanwhile, Cloudflare published its own findings, describing the automated mitigation of the largest DDoS attack recorded to date: a strike that peaked at 22.2 Tbps and 10.6 billion packets per second. The onslaught lasted 40 seconds, yet its intensity set a new benchmark in the history of cyber threats.
Taken together, these incidents underscore a clear trend: attacking toolkits are growing more sophisticated, and the “cybercrime-as-a-service” industry is maturing. Modern botnets such as ShadowV2 are built for scale, feature-richness, and ease of use—enabling even nontechnical customers to commission powerful attacks.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
