Security researchers at Fortinetโs FortiGuard Labs have identified a new Mirai-based botnet called ShadowV2 that quietly emerged during the major AWS outage in October, targeting vulnerable IoT devices worldwide and disappearing soon after the outage ended.
According to the researchers, the botnet was active for roughly 15 hours, beginning shortly after AWS services began failing worldwide. While the outage itself wasnโt caused by the malware, the unusual timing strongly suggests that the attackers used the global service disruption as cover to test their malware in the wild.
Wide Range Of Vulnerabilities Exploited
The botnet spread by exploiting at least eight known vulnerabilities impacting popular IoT devices from vendors including D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The flaws ranged from remote command execution to authentication bypass and affected routers, Wi-Fi access points, NAS devices, DVRs, and smart camera systems.
Vulnerabilities exploited include:
DD-WRT: CVE-2009-2765
D-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
DigiEver: CVE-2023-52163
TBK: CVE-2024-3721
TP-Link: CVE-2024-53375ย
The most concerning issues involve end-of-life NAS models (CVE-2024-10914 and CVE-2024-10915), which D-Link has confirmed it will not patch, leaving users permanently exposed unless they replace the hardware entirely.
Further, TP-Linkโs flaw (CVE-2024-53375) has been addressed with a beta firmware update, while DigiEver and TBK vulnerabilities also remain active exploitation targets.ย
Global Spread Across 28 Countries And Multiple Sectors
During its short activity window, ShadowV2 launched attacks from an IP address located at 198[.]199[.]72[.]27, attempting to compromise six continents. Affected regions include:
Americas: U.S., Canada, Mexico, Brazil, Bolivia, Chile
Europe: U.K., Netherlands, Belgium, France, Italy, Czechia, Austria, Croatia, Greece
Africa: Morocco, Egypt, South Africa
Asia: Turkey, Saudi Arabia, Russia, China, Japan, Taiwan, Thailand, Philippines
Oceania: Australia
Targeted industries included organizations across seven major sectors, such as technology, manufacturing, telecommunications, government, managed security service providers, education, and retail and hospitality. The widespread distribution indicates that the attackers were testing the botnetโs ability to infect and communicate across diverse environments.
How ShadowV2 Works
ShadowV2 identifies itself as โShadowV2 Build v1.0.0 IoT Versionโ, suggesting this is the botnetโs first dedicated IoT variant. Fortinet notes that it is structurally similar to the classic Mirai variant LZRD, incorporating lightweight binaries and XOR-encoded configuration data to avoid detection.
Infection Process:
- Attackers exploit a device vulnerability.
- A downloader script, sh, is dropped from 81[.]88[.]18[.]108.
- The script installs the ShadowV2 payload, which contacts its command-and-control server at
silverpath[.]shadowstresser[.]info. - The infected device becomes part of the botnet and waits for DDoS instructions.
Once inside a device, ShadowV2 supports a full suite of UDP, TCP, and HTTP-based DDoS attacks, making it suitable for high-traffic denial-of-service operations, criminal DDoS-for-hire services, or extortion-based attacks.ย
Why The AWS Outage Was The Perfect Testing Ground
Attackers often test early-stage botnets during major service disruptions because abnormal traffic spikes are less likely to raise alarms. By going after both consumer and enterprise IoT devices, ShadowV2 appears designed to create a highly flexible, worldwide network of attack nodes.
While ShadowV2โs activity window was short, researchers believe it was an early-stage test of its infrastructure. They may return with far greater strength for larger and more disruptive campaigns โ possibly timed to coincide with major outages or global events, researchers add.
How Users And Businesses Can Protect Themselves
Fortinet advises all users and IT teams to:
- Install the latest firmware updates on all supported IoT and networking devices
- Retire any end-of-life hardware from D-Link and other vendors
- Disable unnecessary internet-facing admin features such as remote management and UPnP
- Place IoT gear on separate networks
- Monitor outbound connections or DNS requests for suspicious activity
- Use strong, unique passwords on all device interfaces
FortiGuard Labs has also released indicators of compromise (IoCs) and updated antivirus and intrusion-prevention signatures (IPS) to help organizations detect and block ShadowV2 activity.
