New Mirai variant ShadowV2 tests IoT exploits amid AWS disruption – Against Invaders

New Mirai variant ShadowV2 tests IoT exploits amid AWS disruption - Against Invaders

New Mirai variant ShadowV2 tests IoT exploits amid AWS disruption

ShadowV2, a new Mirai-based botnet, briefly targeted vulnerable IoT devices during October’s AWS outage, likely as a test run.

During the late-October AWS disruption, FortiGuard Labs researchers observed the Mirai-based ‘ShadowV2’ malware exploiting IoT vulnerabilities across multiple countries and industries. The botnet was active only during the outage, suggesting a test run for future attacks. ShadowV2 targets IoT devices using flaws in products from DDWRT (CVE-2009-2765), D-Link(CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK(CVE-2024-3721), TP-Link(CVE-2024-53375).

The bot targeted devices in multiple countries worldwide, including:

  • Oceania: Australia
  • America: Canada, United States, Mexico, Brazil, Bolivia, Chile
  • Europe: United Kingdom, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece
  • Africa: Morocco, Egypt, South Africa
  • Asia: Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines

Fortinet reported victims in multiple industries, including technology, retail and hospitality, manufacturing, managed security services providers, government, telecommunication and carrier services, and education.

ShadowV2 spreads through multiple IoT vulnerabilities, dropping the downloader script binary.sh from 81[.]88[.]18[.]108.

The malware resembles the Mirai LZRD variant, decoding its configuration with XOR key 0x22 and loading paths, headers, and User-Agent strings. After resolving its C2 domain, it connects to 81[.]88[.]18[.]108 and identifies itself as ShadowV2 Build v1.0.0 for IoT. It then initializes a wide range of UDP, TCP, and HTTP flood methods, waits for C2 commands, and launches DDoS attacks based on received parameters.

“ShadowV2 supports two transport-layer protocols (UDP and TCP) and the HTTP application protocol. Implemented attack methods including UDP floods, several TCP-based floods, and HTTP-level floods. The malware maps these behaviors to internal function names, such asUDP, UDP Plain, UDP Generic, UDP Custom, TCP, TCP SYN, TCP Generic, TCP ACK, TCP ACK STOMP,andHTTP.” reads the report published by Fortinet. “It listens for commands from its C2 server and triggers DDoS attacks using the corresponding attack method ID and parameters.”

ShadowV2 shows that IoT devices are still a major security weak point. Its evolution signals that threat actors are increasingly focusing on IoT environments.

“The evolution of ShadowV2 suggests a strategic shift in the targeting behavior of threat actors toward IoT environments.” concludes the report. “This underscores the importance of maintaining timely firmware updates, enforcing robust security practices, and continuously monitoring relevant threat intelligence to strengthen overall situational awareness and ensure ecosystem resilience.”

Follow me on Twitter:@securityaffairsandFacebookandMastodon

PierluigiPaganini

(SecurityAffairs–hacking,ShadowV2 botnet)

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.