"Cybersecurity researchers have disclosed details of a new botnet that customers can rent access to conduct distributed denial-of-service (DDoS) attacks against targets of interest. The ShadowV2 botnet, according to Darktrace, predominantly targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers to deploy a Go-based malware that turns infected systems into attack nodes and co-opt them into a larger DDoS botnet. The cybersecurity company said it detected the malware targeting its honeypots on June 24, 2025."
""At the center of this campaign is a Python-based command-and-control (C2) framework hosted on GitHub Codespaces," security researcher Nathaniel Bill said in a report shared with The Hacker News. "What sets this campaign apart is the sophistication of its attack toolkit. The threat actors employ advanced methods such as HTTP/2 Rapid Reset, a Cloudflare under attack mode ( UAM) bypass, and large-scale HTTP floods, demonstrating a capability to combine distributed denial-of-service (DDoS) techniques with targeted exploitation.""
ShadowV2 targets misconfigured Docker containers on AWS cloud servers to deploy a Go-based malware that converts infected systems into DDoS attack nodes. Darktrace detected the malware targeting its honeypots on June 24, 2025. The campaign leverages a Python-based command-and-control framework hosted on GitHub Codespaces and a Python spreader module to breach Docker daemons, primarily on AWS EC2. A Go-based remote access trojan enables command execution and operator communication over HTTP. Attack techniques include HTTP/2 Rapid Reset, a Cloudflare UAM bypass, and large-scale HTTP floods. The infection flow spawns an Ubuntu setup container, installs tools, builds an image, and deploys it as a live container.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]