In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
ShadowV2 Botnet Emerges as a Sophisticated DDoS-for-Hire Platform Targeting Misconfigured Cloud Containers
Cybersecurity researchers have identified ShadowV2, a newly emerging botnet designed as a commercial DDoS-for-hire service. The campaign targets misconfigured Docker containers—primarily on Amazon Web Services (AWS)—to deploy a Go-based remote access trojan (RAT) and conscript cloud systems into high-performance DDoS attack nodes. ShadowV2 leverages advanced methods such as HTTP/2 Rapid Reset, Cloudflare bypass techniques, and modular containerized deployment. The findings highlight the rapid evolution of cybercrime-as-a-service and the increasing weaponization of cloud misconfigurations.
Context
Botnets built for DDoS attacks have traditionally relied on compromised consumer IoT devices. In contrast, ShadowV2 targets enterprise cloud infrastructure, enabling more powerful and scalable attack capabilities. Misconfigured Docker daemons are a recurring weak point: exposed APIs allow attackers to deploy arbitrary containers or manipulate live workloads.
ShadowV2 arrives at a time when DDoS attacks are reaching historic volumes, including Cloudflare’s recently blocked 22.2 Tbps event—now the largest ever recorded.
What Happened
Darktrace researchers observed ShadowV2 activity on June 24, 2025, when the botnet attempted to infect its honeypots. Key characteristics include:
Compromise of exposed Docker daemons on AWS EC2
Deployment of a Go-based RAT inside custom containers
Use of a Python-based spreader and control framework hosted on GitHub Codespaces
Modular architecture supporting large-scale DDoS-for-hire operations
The botnet is marketed by its operators as an “advanced attack platform,” offering customizable attack parameters via an integrated API and operator dashboard.
Technical Breakdown
Infection Chain
ShadowV2 relies on:
Python spreader module – breaches Docker daemons and initializes a staging container
Ubuntu setup container – installs required tools before building the payload container
Go-based RAT – executed inside the final container
This layered approach may reduce forensic artifacts by performing installation actions directly inside the victim’s environment.
Command-and-Control (C2)
The RAT communicates with:
shadow.aurozacloud[.]xyz
Using heartbeat signals and command polling via HTTP
While hosted behind Cloudflare to obscure true infrastructure
The C2 uses FastAPI, Pydantic, and a login-protected operator UI supporting:
User management
Attack configuration
Endpoint targeting rules
Site exclusion lists
Attack Capabilities
ShadowV2 implements:
HTTP/2 Rapid Reset attacks
Cloudflare Under Attack Mode (UAM) bypass using ChromeDP
Large-scale HTTP floods
Modular payload execution
Although the UAM bypass is likely ineffective against modern anti-automation measures, its inclusion shows active development and operator experimentation.
Impact Analysis
ShadowV2’s focus on cloud container takeover introduces significant risks:
Cloud infrastructure offers higher bandwidth and computational power than IoT botnets
Misconfigured Docker APIs create an accessible attack surface
Container-based payloads can be rapidly deployed at scale
Forensics and recovery are more difficult when attackers build containers directly in-environment
The emergence of a full operator UI and rentable access strongly indicates a commercial cybercrime-as-a-service model, lowering the barrier for buyers to launch sophisticated DDoS operations.
Additionally, the discovery parallels broader botnet activity:
F5 Labs detected a scanning botnet using 11,690+ Mozilla User-Agent strings
Cloudflare blocked multiple record-breaking hyper-volumetric attacks
QiAnXin XLab analyzed the AISURU botnet—infecting 300,000 devices, supporting both DDoS and proxy operations
The ecosystem around DDoS-as-a-service is maturing, with multiple actors adopting modular, cloud-based models.
Why It Matters
ShadowV2 exemplifies major trends reshaping modern cybercrime:
Cloud misconfiguration is now a leading vector for botnet recruitment
DDoS-for-hire is evolving into a scalable SaaS-style business
Attackers are adopting enterprise-grade tooling, CI/CD pipelines, and containerization
Cloud infrastructure enables attacks at unprecedented bandwidth levels
Organizations with exposed Docker daemons face severe risk of being pulled into a botnet—and being used to attack others.
Expert Commentary
Nathaniel Bill of Darktrace notes that ShadowV2’s modular API, Go-based RAT, and containerization show “the continued development of cybercrime-as-a-service,” emphasizing that threat actors are applying professional software design principles to offensive tooling.
QiAnXin XLab researchers warn that global botnet activity is accelerating, with AISURU launching attacks across China, the U.S., Germany, the U.K., and Hong Kong, and integrating anonymization features that appeal to buyers seeking evasion.
Key Takeaways
ShadowV2 is a sophisticated DDoS-for-hire botnet built for cloud exploitation.
It targets misconfigured Docker containers, particularly on AWS.
Uses a Python C2 hosted on GitHub Codespaces and a Go-based RAT.
Supports HTTP/2 Rapid Reset, HTTP floods, and Cloudflare bypass attempts.
Features an operator dashboard and structured API for configuring attacks.
Reflects rapid commercialization of cybercrime-as-a-service.
Cloud-based botnets can generate massive DDoS volumes.
Misconfigured Docker environments remain high-priority risks.