Cybersecurity researchers at Darktrace have identified a new botnet called ShadowV2 is structured as a DDoS-for-hire service, offering attackers an easy way to launch large-scale attacks on demand.
This means anyone can rent access to its network to launch a distributed denial-of-service (DDoS) attack, making it easier for attackers to generate massive traffic surges similar to those seen in record-breaking incidents across the internet.
ShadowV2 doesn’t go after typical home computers; it infects misconfigured Docker containers on Amazon Web Services (AWS) cloud servers. Docker is a technology that lets developers package and run applications in isolated environments called containers. These containers are a modern way to build and run software, but if they’re not set up correctly, they can be exploited by cybercriminals.
The Attack
The attack starts with a Python script hosted on GitHub CodeSpaces, which creates a temporary ‘setup’ container on a victim’s machine. The botnet then installs its core malware, a Go-based Remote Access Trojan (RAT), into this setup. The botnet then uses this container to create a new, infected container.
According to Darktrace, this is a major example of ‘cybercrime-as-a-service’ (CaaS), where illegal activities are now being treated like professional business ventures. The attackers have built a complete platform with a user login screen and a user-friendly control panel. The system is well-designed enough to mirror “legitimate cloud-native applications in both design and usability,” researchers noted in the blog post.
Additionally, the botnet regularly checks in with a central server using a “RESTful registration and polling mechanism” to get its commands. It uses advanced tactics like a Cloudflare under attack mode (UAM) bypass and “HTTP/2 rapid reset,” which allows it to send massive amounts of traffic at once.
Fake Law Enforcement Seizure Notice
Darktrace first spotted the attack on June 24 and found older versions of the malware that had been submitted to a public threat database on June 25 and July 30. The botnet’s main website even displays a fake law enforcement seizure notice as a trick, though the system itself remains fully functional.
Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), sees the botnet as evidence of a “maturing criminal market where specialisation beats sprawl.”
He notes that the operators have simplified their business by focusing only on DDoS attacks and selling access, which “reduces operational risk, simplifies tooling, and aligns incentives with paying customers.”
Soroko adds that the use of a professional API and full user interface turns the botnet into a “platform, which shifts detection from host indicators toward control plane behaviours.” He advises defenders to treat this botnet as a “product with a roadmap,” and to watch for upgrades and new tactics.
