ShadowV2 Botnet Exposes Rise of DDoS-as-a-service Platforms – Against Invaders – Notícias de CyberSecurity para humanos.

ShadowV2 Botnet Exposes Rise of DDoS-as-a-service Platforms - Against Invaders - Notícias de CyberSecurity para humanos.

A new campaign that combines traditional malware with modern DevOps tooling has been observed by cybersecurity analysts.

TheShadowV2 DDoS operation, discovered by Darktrace, uses a command-and-control framework hosted on GitHub CodeSpaces, a Python spreader that performs multi-stage Docker deployments for initial access and a Go-based remote access trojan that registers and polls a RESTful API to receive commands.

Initial Access and Deployment

The initial compromise originates from a Python script running in GitHub CodeSpaces, identifiable by headers such as User-Agent: docker-sdk-python/7.1.0 and X-Meta-Source-Client: github/codespaces, and outbound connections from IP address 23.97.62[.]139.

Attackers target exposed Docker daemons on AWS EC2, spawning a temporary setup container, installing tools in it, imaging that container, then deploying a live instance with malware passed via environment variables. This build-on-victim method may reduce forensic artifacts.

“This research points to a maturing criminal market where specialization beats sprawl,” Jason Soroko, senior fellow atcertificate authority, Sectigo, said. “By focusing only on DDoS and selling access to capacity, the operators reduce operational risk, simplify tooling and align incentives with paying customers.”

Malware Behaviour and Attack Methods

Once live, the Go binary phones home using MASTER_ADDR and VPS_NAME, derives a unique VPS_ID, then maintains two loops: it sends a heartbeat every second and polls for commands every five seconds.

Researchers emulated the implant to capture commands that instruct HTTP2 rapid reset and high-thread HTTP floods, for example, a 120-thread attack against a target hosted in Amsterdam.

The attack client uses Valyala’s fasthttp library and supports flags for random query strings, spoofed forwarding headers, a Cloudflare under-attack-mode bypass using a bundled ChromeDP, and an HTTP2 rapid reset mode that amplifies request throughput.

Read more on Cloudflare bypass techniques: Cloudflare and Palo Alto Networks Victimized in Salesloft Drift Breach

“The ShadowV2 botnet is another reminder that cybercrime is no longer a side hustle, but an industry,” Shane Barney, CISO at Keeper Security, said. “Threat actors are treating Distributed Denial-of-Service (DDoS) attacks like a business service, complete with APIs, dashboards and user interfaces.”

API, UI and Platform Design

The campaign exposes an OpenAPI spec implemented with FastAPI and Pydantic, a full login panel and an operator UI built with Tailwind.

The API shows multi-tenant features, privilege distinctions and endpoints to launch attacks that require a list of zombie systems. The site presents a fake seizure notice, yet still reveals an “advanced attack platform” at its login. Key features include:

  • Python C2 hosted in CodeSpaces

  • Docker-based spreader with on-host image build

  • Go RAT with RESTful registration and polling

  • DDoS options, including HTTP2 rapid reset and UAM bypass

Darktrace framed this as cybercrime-as-a-service that mirrors legitimate cloud-native apps.

“The presence of a DDoS-as-a-service panel with full user functionality further emphasizes the need for defenders to think of these campaigns not as isolated tools but as evolving platforms,” the cybersecurity firm wrote.

“For defenders, the implications are significant. Effective defense requires deep visibility into containerized environments, continuous monitoring of cloud workloads and behavioral analytics capable of identifying anomalous API usage and container orchestration patterns.”

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.