ShadowV2 Botnet Exploits Docker Containers on AWS to Turn Thems as Infected System for DDoS Attack

A sophisticated cybercrime campaign has emerged that transforms legitimate AWS infrastructure into weaponized attack platforms through an innovative combination of containerization and distributed denial-of-service capabilities.

The ShadowV2 botnet represents a significant evolution in cyber threats, leveraging exposed Docker daemons on Amazon Web Services EC2 instances to establish persistent footholds for large-scale DDoS operations.

This campaign demonstrates an alarming shift toward professional, service-oriented cybercrime infrastructure that mirrors legitimate cloud-native applications in both design and functionality.

The attack begins with threat actors operating from GitHub CodeSpaces, utilizing a Python-based command-and-control framework to scan for and exploit misconfigured Docker installations.

Unlike traditional botnet operations that rely on pre-built malicious containers, ShadowV2 employs a unique multi-stage deployment process that creates custom containerized environments directly on victim machines.

The malware establishes communication with its operators through a RESTful API architecture, implementing sophisticated polling and heartbeat mechanisms that ensure persistent connectivity while evading detection through legitimate-appearing network traffic.

Darktrace analysts identified the malware during routine honeypot monitoring, discovering that the campaign specifically targets AWS EC2 instances running exposed Docker daemons.

The researchers observed the threat actors using advanced attack techniques including HTTP/2 rapid reset attacks, Cloudflare under-attack mode bypasses, and large-scale HTTP flood campaigns.

These capabilities, combined with a fully operational user interface and OpenAPI specification, indicate that ShadowV2 functions as a comprehensive DDoS-as-a-service platform rather than a traditional botnet, offering paying customers the ability to launch sophisticated distributed attacks against targeted infrastructure.

The malware’s architecture reveals a concerning level of professionalism, with the entire operation designed around a modular, service-oriented approach that includes user authentication, privilege management, and attack limitations based on subscription tiers.

This evolution represents a fundamental shift in cybercrime economics, where malicious infrastructure increasingly resembles legitimate software-as-a-service offerings in terms of user experience, reliability, and feature completeness.

Technical Infection and Deployment Mechanism

The ShadowV2 botnet employs a sophisticated three-stage deployment process that distinguishes it from conventional Docker-based malware campaigns.

Initial compromise occurs through Python scripts hosted on GitHub CodeSpaces, identifiable through distinctive HTTP headers including User-Agent: docker-sdk-python/7.1.0 and X-Meta-Source-Client: github/codespaces.

These indicators reveal the attackers’ use of the Python Docker SDK library, which enables programmatic interaction with Docker daemon APIs to create and manage containerized environments on target systems.

The attack methodology deviates significantly from typical Docker exploitation patterns. Instead of deploying pre-built malicious images from Docker Hub or uploading custom containers, the malware first spawns a generic Ubuntu-based setup container and dynamically installs necessary tools within it.

This container is then committed as a new image and deployed as a live container with malware arguments passed through environmental variables including MASTER_ADDR and VPS_NAME identifiers.

The containerized payload consists of a Go-based ELF binary located at /app/deployment that implements a robust communication protocol with the command-and-control infrastructure.

Upon execution, the malware generates a unique VPS_ID by concatenating the provided VPS_NAME with the current Unix timestamp, ensuring distinct identification for each compromised system.

This identifier facilitates command routing and maintains session continuity even across malware restarts or reinfections.

The binary establishes two persistent communication loops: a heartbeat mechanism that transmits the VPS_ID to hxxps://shadow.aurozacloud[.]xyz/api/vps/heartbeat every second via POST requests, and a command polling system that queries hxxps://shadow.aurozacloud[.]xyz/api/vps/poll/ every five seconds through GET requests.

This dual-channel approach ensures both operational visibility for attackers and reliable command delivery to compromised infrastructure, while maintaining the appearance of legitimate API traffic that can evade network-based detection mechanisms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.