Netcrook Logo
👤 INTEGRITYFOX
🗓️ 11 Sep 2025   🌍 Europe

ShadowV2: The Botnet Hiding in Plain Sight on Amazon’s Cloud

Cybercriminals are turning misconfigured AWS Docker containers into powerful DDoS-for-hire services - blurring the lines between legitimate enterprise tech and digital weaponry.

Fast Facts

  • ShadowV2 is a new-for-hire botnet exploiting unsecured Docker containers on Amazon Web Services (AWS).
  • The botnet uses advanced techniques to launch massive distributed denial-of-service (DDoS) attacks, including Cloudflare bypasses and HTTP/2 rapid resets.
  • Operators control ShadowV2 via a slick interface and API, making it look and operate like mainstream business software.
  • Researchers warn that this approach complicates detection and defense for cloud users.
  • The campaign reflects a growing trend: cybercrime-as-a-service, where anyone can rent powerful attack tools.

A New Breed of Botnet: Cloud-Native and Disguised

Picture a digital wolf in sheep’s clothing: ShadowV2, a botnet masquerading as legitimate cloud software, slips through the gates of Amazon’s cloud by preying on a common but often overlooked weakness - misconfigured Docker containers. Once inside, it quietly transforms these cloud servers into weapons for hire, available to anyone willing to pay.

Detected by Darktrace in June 2025, ShadowV2 is not your average botnet. Instead of relying on outdated hacking tricks, its creators have borrowed the best tools from modern enterprise tech - container orchestration, modular code, and sleek dashboards - to industrialize DDoS attacks. The botnet’s main targets: Docker daemons (the software that runs containers) left open to the world on AWS’s Elastic Compute Cloud (EC2). With as many as 24,000 Docker endpoints exposed online, the playground is vast.

From Cloud Innovation to Criminal Enterprise

In the past, DDoS botnets were typically cobbled together from hacked home routers or security cameras. But ShadowV2 signals a shift: attackers now exploit the very cloud-native tools that power the world’s biggest apps. Using scripts hosted on GitHub Codespaces, the attackers scan for vulnerable Docker servers, then launch a generic “setup” container. Inside, they plant a Go-based malware that turns each infected server into a DDoS attack node, all while leaving as few traces as possible.

The botnet’s command center is built with Python frameworks and hides behind Cloudflare, making takedowns tricky. Operators can log in, configure attacks, choose targets, and even exclude certain sites - just like managing a cloud service. The malware itself is nimble, able to bypass some of Cloudflare’s defenses and unleash floods of web traffic that can bring down even well-protected sites. While some of these bypasses (like the ChromeDP trick) may not always work as intended, the sophistication is clear.

Why This Matters: Cybercrime-as-a-Service Goes Mainstream

ShadowV2 isn’t alone. Recent record-breaking DDoS attacks - including one that peaked at 22.2 terabits per second - show that botnets are scaling up rapidly, often leveraging insecure cloud services. Chinese researchers have linked similar attacks to botnets like AISURU, which infects hundreds of thousands of devices globally. What’s new is the business-like polish: APIs, dashboards, and modular features that attract paying customers, not just technical hackers.

Experts warn that organizations must adapt. Traditional firewalls and perimeter defenses are no longer enough. Cloud users need to harden container security, monitor for unusual behavior, and adopt a “zero trust” mindset - never assuming any part of their environment is safe just because it’s in the cloud.

ShadowV2’s rise is a wake-up call: the same tools that fuel digital transformation can, in careless hands, become engines of digital destruction. The line between legitimate innovation and criminal exploitation has never been blurrier - or more dangerous.

WIKICROOK

  • Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
  • Docker Container: A Docker container is a lightweight, portable package that contains everything needed to run an application, ensuring consistency across environments.
  • DDoS (Distributed Denial: A DDoS attack overwhelms an online service with traffic from many sources, making it slow or unavailable to real users.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
  • Cloudflare: Cloudflare is a service that protects and speeds up websites by hiding their real location and blocking attacks, but can also mask harmful sites.
INTEGRITYFOX INTEGRITYFOX
Data Trust & Manipulation Analyst
← Back to news