A new Mirai-based IoT botnet, ShadowV2, briefly appeared during a major AWS outage, targeting a range of devices from D-Link, TP-Link, and other vendors using multiple known vulnerabilities and suggesting a test run.

ShadowV2 surfaced as a cloud-native Mirai variant and was active for up to about 15 hours, indicating it may be staged for a larger future operation.

During its short window of activity, ShadowV2 exploited vulnerabilities across several manufacturers—including DD-WRT, D-Link, DigiEver, TBK, and TP-Link—to enlist routers, access points, NAS boxes, DVRs, and network video recorders.

The threat network is global, with detections across North/South America, Europe, Africa, Asia, and Oceania, impacting sectors from technology and government to manufacturing, retail, and telecommunications.

Related security resources emphasize ongoing MCP (Model Context Protocol) best practices and research guides to secure IoT and connected systems amid expanding LLM-to-tool integrations.

Fortinet's FortiGuard Labs issued IoCs and underscored the importance of timely firmware updates on IoT devices to mitigate risk, noting the campaign’s broad geographic reach.

Attribution and monetization remain unclear; typical botnet models such as renting power or direct extortion are possible, but ShadowV2’s revenue model has not been identified.

CVE-2024-10914 (and related CVEs) affect end-of-life D-Link devices and remain unpatched, with further unrepaired models confirmed after vendor inquiries.

ShadowV2 has been observed in more than two dozen countries, with IoT devices likely the primary infection target rather than traditional servers.

Security notes link ShadowV2 to broader IoT risk, including a TP-Link zero-day vulnerability threatening millions of routers and other IoT devices.

Around the same period, Azure faced a separate, record-setting DDoS attack (originating from the Aisuru botnet) peaking at 15.72 Tbps, mitigated by Microsoft with no customer impact.

Researchers view ShadowV2 as likely a test run, with the potential for a larger future attack.

ShadowV2 connects to a C2 server to receive commands for DDoS operations, deploying UDP, TCP, and HTTP floods once instructed.

The malware drops a downloader script (binary.sh) from a server and uses XOR-encoded configurations for paths, User-Agent strings, and headers to disguise its activity.

There is no precise count of infected devices or current growth data yet, but ShadowV2 is considered a lingering threat beyond the initial outage window.

Propagation occurs via a downloader that deploys ShadowV2 from a server and then configures it with an XOR-encoded setup before contacting the C2.

The campaign centers on multiple vendor devices (DD-WRT, D-Link, DigiEver, TBK, TP-Link, and others) and uses a downloader script to install the main payload.

The incident serves as a reminder to secure IoT devices, maintain firmware updates, and monitor for unusual traffic, with Fortinet providing IOCs for threat hunting.

ShadowV2 expanded to affect 28 countries across multiple sectors, including technology, retail and hospitality, manufacturing, MSSPs, government, telecom, and education.

ShadowV2 resembles a first-generation IoT-focused build, labeled Build v1.0.0 IoT version, suggesting it may be the initial IoT-oriented form of ShadowV2.

Activity appears limited to the AWS outage window, with potential for a fuller return in future operations.

The malware identifies itself as ShadowV2 Build v1.0.0 IoT version and is delivered via an initial access stage using a downloader from 81.88.18.108.

Experts advocate timely firmware updates and strong security practices to curb IoT botnet recruitment and DDoS risk.

Overall, ShadowV2 abuses multiple vulnerabilities to deploy, configure, and command its IoT-focused DDoS threat.

The outbreak timing during a global AWS outage points to a test run aimed at validating capacity for larger-scale future campaigns.

Origins trace to a specific IP and target devices like routers, NAS, and DVRs across seven sectors worldwide, including government and telecommunications.

ShadowV2 marks an evolution from targeting AWS to a broader, multi-industry threat across technology, retail, government, and telecom sectors.

The botnet exploits at least eight vulnerabilities across vendors, including CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915, CVE-2023-52163, CVE-2024-3721, and CVE-2024-53375.