ShadowV2 Mirai Botnet Launched Coordinated IoT Test Attack During Global AWS Outage
Ddos 
Worldwide countries be affected by incidents | Image: FortiGuard Labs
While IT teams worldwide scrambled to restore services during a massive AWS outage in October, a new threat was quietly seizing the opportunity. FortiGuard Labs has released a report detailing “ShadowV2,” a new variant of the Mirai botnet that launched a coordinated campaign specifically timed to coincide with the global cloud disruption.
The timing of the attack appears to be far from coincidental. According to the report, the malware activity was observed “at the end of October, during a global disruption of AWS connections.”
Rather than a full-scale assault, researchers believe the threat actors were testing their capabilities under the cover of the chaotic network environment. “We believe this activity was likely a test run conducted in preparation for future attacks,” the report states. The campaign’s activity window was tightly correlated with the outage itself; researchers noted that “so far, the malware appears to have only been active during the time of the large-scale AWS outage.”
While ShadowV2 had surfaced previously in September targeting AWS EC2 instances, this latest campaign marks a strategic pivot toward Internet of Things (IoT) devices.
The infection chain begins when the attacker exploits known vulnerabilities in devices from vendors such as D-Link, TP-Link, and DDWRT. Once a device is compromised, it is instructed to download a script named binary.sh from the IP address 81[.]88[.]18[.]108.
A distinct signature found within the malware code confirms its new focus. “While executing, the malware displays the string ShadowV2 Build v1.0.0 IoT version,” the report notes. “Based on this string, we assess that it may be the first version of ShadowV2 developed for IoT devices.”
FortiGuard’s analysis reveals that ShadowV2 shares DNA with “LZRD,” a classic Mirai variant. To evade detection, it employs XOR-encoding with a single-byte key (0x22) to hide its configuration, including file paths and User-Agent strings.
Once installed, the malware attempts to contact its Command and Control (C2) server. It first tries to resolve the domain silverpath[.]shadowstresser[.]info. If DNS resolution fails—a likely scenario during the targeted AWS outage—it falls back to a hardcoded IP address to ensure it can still receive orders.
The botnet is capable of launching multiple types of Distributed Denial of Service (DDoS) attacks, including:
- UDP Floods (Generic, Plain, and Custom)
- TCP Floods (SYN, ACK, STOMP)
- HTTP Floods
Despite being a “test run,” the campaign achieved significant reach. The compromised devices spanned seven different industries, including technology, retail, manufacturing, and government sectors.
The geographical footprint was equally widespread, affecting nations across every populated continent:
- Americas: United States, Canada, Brazil
- Europe: UK, France, Italy
- Asia: China, Japan, Russia
“Our analysis of ShadowV2 reveals that IoT devices remain a weak link in the broader cybersecurity landscape,” the report concludes. “The evolution of ShadowV2 suggests a strategic shift in the targeting behavior of threat actors toward IoT environments.”
Donate