ShadowV2 Botnet: The Alarming Rise of DDoS-for-Hire
▼ Summary
– The ShadowV2 DDoS campaign uses a command-and-control framework hosted on GitHub CodeSpaces and deploys malware via a multi-stage Docker process on exposed AWS EC2 instances.
– Initial compromise is achieved by a Python script that spawns a temporary container on the victim’s host, builds a malicious image, and deploys a live instance to reduce forensic artifacts.
– A Go-based remote access trojan (RAT) maintains communication by sending a heartbeat every second and polling a RESTful API for commands every five seconds.
– The malware executes DDoS attacks, including HTTP2 rapid reset floods and high-thread HTTP floods, using techniques like query string randomization and a Cloudflare under-attack-mode bypass.
– The operation features a sophisticated, multi-tenant API and user interface, reflecting a mature cybercrime-as-a-service model that requires defenders to monitor containerized environments and anomalous API usage.
A sophisticated new botnet operation is leveraging cloud-native development tools to deliver powerful DDoS-for-hire services, signaling a dangerous evolution in cybercrime business models. Security researchers at Darktrace have identified the ShadowV2 campaign, which integrates a Python-based infection mechanism hosted on GitHub CodeSpaces with a multi-stage Docker deployment process. This approach targets exposed Docker daemons on cloud infrastructure, deploying a Go-based remote access trojan that communicates via a RESTful API to execute devastating denial-of-service attacks.
The initial compromise begins with a Python script running within GitHub’s cloud development environment, identifiable through specific headers and connections originating from known IP addresses. Attackers focus on vulnerable Docker installations on AWS EC2 instances, where they deploy a temporary container to install tools, create a custom image, and then launch a live instance with malware delivered through environment variables. This “build-on-victim” methodology potentially reduces the forensic evidence left behind, making investigation more challenging.
Jason Soroko, a senior cybersecurity expert, observes that this represents a maturing criminal marketplace where specialization creates efficiency. By concentrating exclusively on DDoS capabilities and selling access to this firepower, operators minimize their operational risks while streamlining their tools and aligning their business model with customer demands.
Once established on a compromised system, the Go-based malware initiates contact with its command server using configuration parameters, generates a unique identifier for the infected machine, and maintains constant communication through dual loops: sending heartbeat signals every second and checking for new commands every five seconds. Through emulation, researchers captured attack instructions that orchestrate high-volume HTTP2 rapid reset assaults and multi-threaded HTTP floods, including demonstrations targeting servers in Amsterdam with 120 simultaneous threads.
The attack client utilizes the Valyala fasthttp library and incorporates sophisticated features including randomized query strings, spoofed headers, and specialized techniques to bypass Cloudflare’s under-attack-mode protection. It also employs an HTTP2 rapid reset mode that dramatically increases the volume of requests that can be launched against targets.
Shane Barney, a chief information security officer, emphasizes that ShadowV2 demonstrates how cybercrime has transformed into a full-fledged industry. Threat actors now approach DDoS attacks as a commercial service, complete with professional-grade interfaces, dashboards, and API integration.
The campaign’s infrastructure reveals a surprisingly polished operation featuring an OpenAPI specification implemented with FastAPI and Pydantic, a comprehensive login panel, and an operator interface built using the Tailwind framework. The API demonstrates multi-tenant capabilities with distinct privilege levels and endpoints that enable attackers to launch assaults using lists of compromised systems. Although the login page displays a fake seizure notice, it still reveals what appears to be an “advanced attack platform” to anyone attempting access.
Key technical components include a Python command-and-control system hosted in CodeSpaces, a Docker-based propagation mechanism that builds images directly on infected hosts, and a Go remote access trojan that uses RESTful registration and polling. The platform offers multiple DDoS options, including the sophisticated HTTP2 rapid reset technique and Cloudflare UAM bypass capabilities.
Darktrace characterizes this as cybercrime-as-a-service that closely mimics legitimate cloud applications. The presence of a fully functional DDoS service panel with user management features underscores the necessity for defenders to view these campaigns not as isolated tools but as evolving platforms with continuous development.
For security teams, the implications demand significant adjustments to defensive strategies. Effective protection requires comprehensive visibility into containerized environments, continuous monitoring of cloud workloads, and behavioral analytics capable of detecting anomalous API usage patterns and suspicious container orchestration activities. This sophisticated approach to cybercrime means traditional security measures may prove insufficient against professionally operated platforms designed for maximum impact.
(Source: InfoSecurity Magazine)