Cybersecurity researchers have disclosed details of a new botnet that customers can rent access to conduct distributed denial-of-service (DDoS) attacks against targets of interest.
The ShadowV2 botnet, according to Darktrace, predominantly targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers to deploy a Go-based malware that turns infected systems into attack nodes and co-opt them into a larger DDoS botnet. The cybersecurity company said it detected the malware targeting its honeypots on June 24, 2025.
“At the center of this campaign is a Python-based command-and-control (C2) framework hosted on GitHub Codespaces,” security researcher Nathaniel Bill said in a report shared with The Hacker News.
“What sets this campaign apart is the sophistication of its attack toolkit. The threat actors employ advanced methods such as HTTP/2 Rapid Reset, a Cloudflare under attack mode (UAM) bypass, and large-scale HTTP floods, demonstrating a capability to combine distributed denial-of-service (DDoS) techniques with targeted exploitation.”
The activity is notable for incorporating a Python-based spreader module to breach Docker daemons, mainly those running on AWS EC2, while the Go-based remote access trojan (RAT) enables command execution and communication with its operators using the HTTP protocol. ShadowV2 has been described by the authors as an “advanced attack platform.”
Campaigns targeting exposed Docker instances are known to typically leverage the access to either drop a custom image or leverage an existing image on Docker Hub to deploy the necessary payloads. However, ShadowV2 takes a slightly different approach by first spawning a generic setup container from an Ubuntu image and installing various tools in it.
An image of the created container is then built and deployed as a live container. It’s currently not known why this method was chosen by the attackers, although Darktrace said it’s possible that they are trying to avoid leaving any forensic artifacts by carrying it out directly on the victim machine.
The container paves the way for the execution of a Go-based ELF binary, which establishes communication with a C2 server (“shadow.aurozacloud[.]xyz”) to periodically send a heartbeat message to the operators as well as poll an endpoint on the server for new commands.
It also incorporates features to conduct HTTP/2 Rapid Reset attacks as opposed to a traditional HTTP flood and sidestep Cloudflare’s Under Attack mode by using the ChromeDP tool to solve the JavaScript challenge presented to users and obtain the clearance cookie for use in subsequent requests. That said, the bypass is unlikely to work given that these challenges are explicitly designed to block headless browser traffic.
Further analysis of C2 infrastructure has found that the server is hosted behind Cloudflare to conceal its true origins. It also makes use of FastAPI and Pydantic, and supports a login panel and operator interface, indicating that the tool is being developed with the idea of offering a “DDoS-for-Hire” service.
The API endpoints allow operators to add, update, or delete users, configure the type of attacks those users can execute, provide a list of endpoints from which the attack has to be launched, and exclude a list of sites from being targeted.
“By leveraging containerization, an extensive API, and with a full user interface, this campaign shows the continued development of cybercrime-as-a-service,” Bill said. “The ability to deliver modular functionality through a Go-based RAT and expose a structured API for operator interaction highlights how sophisticated some threat actors are.”
The disclosure comes as F5 Labs said it detected a web scanning botnet that uses Mozilla-related browser user agents to target internet-exposed systems for known security flaws. So far, the botnet is said to have used 11,690 different Mozilla User-Agent strings for its scans.
It also comes as Cloudflare said it autonomously blocked hyper-volumetric DDoS attacks that peaked at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), respectively, according to a post shared on X today. The DDoS attack, the largest ever recorded to date, lasted only 40 seconds.
Earlier this month, the web infrastructure company revealed it had mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps) and lasted only about 35 seconds.
Chinese security firm QiAnXin XLab, in a technical report last week, said the botnet known as AISURU is responsible for the attack. A variant of AIRASHI, it has infected nearly 300,000 devices, most of which are routers and security cameras. The botnet, per the company, is managed by three individuals – Snow, Tom, and Forky – who take care of development, vulnerability integration, and sales, respectively.
Recent iterations of the malware include a modified RC4 algorithm to decrypt source code strings, conduct speed tests to find the lowest-latency server, and steps to check compromised devices to determine the presence of network utilities like tcpdump, Wireshark, as well as virtualization frameworks like VMware, QEMU, VirtualBox, and KVM.
“The AISURU botnet has launched attacks worldwide, spanning multiple industries,” XLab noted. “Its primary targets have been located in regions such as China, the United States, Germany, the United Kingdom, and Hong Kong. The new samples support not only DDoS attacks but also Proxy functionality. As global law enforcement increases pressure on cybercrime, demand for anonymization services is rising.”
