Cybersecurity researchers have uncovered a new botnet, ShadowV2, which is being offered as a service for conducting distributed denial-of-service (DDoS) attacks. This botnet primarily targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers, deploying Go-based malware to transform compromised systems into attack nodes within a larger DDoS network. Darktrace, a cybersecurity firm, detected this malware targeting its honeypots on June 24, 2025.
At the core of this campaign is a Python-based command-and-control (C2) framework hosted on GitHub Codespaces. The attackers employ sophisticated methods, including HTTP/2 Rapid Reset attacks, bypassing Cloudflare’s Under Attack Mode, and executing large-scale HTTP floods. These techniques demonstrate the threat actors’ capability to combine various DDoS strategies with targeted exploitation.
The attack chain begins with a Python-based spreader module that breaches Docker daemons, particularly those running on AWS EC2 instances. Once access is gained, a Go-based remote access trojan (RAT) is deployed, enabling command execution and communication with the operators via HTTP. The authors describe ShadowV2 as an advanced attack platform.
Unlike typical campaigns that drop custom images or use existing ones from Docker Hub, ShadowV2 initiates a generic setup container from an Ubuntu image, installing various tools within it. An image of this configured container is then built and deployed as a live container. This method may be an attempt to avoid leaving forensic artifacts on the victim’s machine.
The deployed container executes a Go-based ELF binary, which communicates with a C2 server (shadow.aurozacloud[.]xyz). It periodically sends heartbeat messages and polls the server for new commands. The malware includes features to conduct HTTP/2 Rapid Reset attacks and bypass Cloudflare’s Under Attack Mode by using the ChromeDP tool to solve JavaScript challenges and obtain clearance cookies for subsequent requests. However, this bypass is unlikely to succeed, as these challenges are designed to block headless browser traffic.
Analysis of the C2 infrastructure reveals that the server is hosted behind Cloudflare to conceal its true origin. It utilizes FastAPI and Pydantic, supporting a login panel and operator interface, indicating that the tool is being developed as a DDoS-for-Hire service. The API endpoints allow operators to manage users, configure attack types, specify attack launch points, and exclude certain sites from being targeted.
By leveraging containerization, an extensive API, and a comprehensive user interface, this campaign exemplifies the continued development of cybercrime-as-a-service. The modular functionality delivered through a Go-based RAT and the structured API for operator interaction highlight the sophistication of these threat actors.
