Cybersecurity researchers revealed details of a new botnet that customers can rent in order to launch distributed denial-of-service (DDoS) attacks against chosen targets.
According to Darktrace, the ShadowV2 botnet primarily attacks misconfigured Docker containers on Amazon Web Services (AWS) cloud servers. It deploys a Go-based malware, turns infected systems into attack nodes, and integrates them into a larger DDoS botnet. The cybersecurity company detected the malware against its honeypots on June 24, 2025.
“At the center of this campaign is a Python-based command-and-control (C2) framework hosted on GitHub Codespaces,” security researcher Nathaniel Bill said in a report shared with The Hacker News.
“What sets this campaign apart is the sophistication of its attack toolkit. The threat actors employ advanced methods such as HTTP/2 Rapid Reset, a Cloudflare under attack mode (UAM) bypass, and large-scale HTTP floods, demonstrating a capability to combine distributed denial-of-service (DDoS) techniques with targeted exploitation.”
This activity stands out because the attackers integrated a Python-based spreader module to breach Docker daemons, mainly on AWS EC2. Meanwhile, the Go-based remote access trojan (RAT) executes commands and communicates with operators through the HTTP protocol. The authors describe ShadowV2 as an “advanced attack platform.”
Typically, campaigns that target exposed Docker instances either drop a custom image or use an existing Docker Hub image to deploy their payloads. However, ShadowV2 takes a different path by first spawning a generic setup container from an Ubuntu image and installing various tools inside it.
The attackers then build an image of that container and deploy it as a live instance. Darktrace suggested they might choose this method to avoid leaving forensic artifacts, although the exact reason remains unclear.
Next, the container runs a Go-based ELF binary that communicates with a C2 server (“shadow.aurozacloud[.]xyz”). It sends periodic heartbeat messages to the operators and polls the server endpoint for new commands.
The malware also carries features to conduct HTTP/2 Rapid Reset attacks instead of a traditional HTTP flood. In addition, it attempts to bypass Cloudflare’s Under Attack mode by using the ChromeDP tool to solve the JavaScript challenge and retrieve a clearance cookie for future requests. However, this bypass likely fails since the challenges specifically block headless browser traffic.
Further analysis of the C2 infrastructure revealed that the server hides behind Cloudflare to mask its real location. It also relies on FastAPI and Pydantic, and it includes both a login panel and an operator interface. These elements suggest that the developers intend to market the tool as a “DDoS-for-Hire” service.
The API endpoints give operators the ability to add, update, or delete users, configure attack types, define the list of endpoints for launching attacks, and exclude certain sites from targeting.
“By leveraging containerization, an extensive API, and with a full user interface, this campaign shows the continued development of cybercrime-as-a-service,” Bill said. “The ability to deliver modular functionality through a Go-based RAT and expose a structured API for operator interaction highlights how sophisticated some threat actors are.”
Meanwhile, F5 Labs disclosed the detection of a web scanning botnet that relies on Mozilla-related browser user agents to probe internet-exposed systems for known vulnerabilities. So far, researchers observed the botnet using 11,690 different Mozilla User-Agent strings during its scans.
Cloudflare announced that it autonomously blocked hyper-volumetric DDoS attacks peaking at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), according to a post shared on X. The attacks, which became the largest ever recorded, lasted only 40 seconds.
Earlier this month, the web infrastructure company revealed that it mitigated another record-setting volumetric distributed denial-of-service (DDoS) attack. That incident peaked at 11.5 terabits per second (Tbps) and lasted about 35 seconds.
Meanwhile, Chinese security firm QiAnXin XLab linked the attacks to the AISURU botnet in a technical report. The researchers identified AISURU as a variant of AIRASHI that infected nearly 300,000 devices, mainly routers and security cameras. According to the company, three individuals manage the botnet: Snow handles development, Tom oversees vulnerability integration, and Forky manages sales.
Recent versions of the malware introduced several upgrades. They use a modified RC4 algorithm to decrypt source code strings, perform speed tests to locate the lowest-latency server, and inspect compromised devices for tools such as tcpdump and Wireshark. The malware also checks for virtualization frameworks like VMware, QEMU, VirtualBox, and KVM.
“The AISURU botnet has launched attacks worldwide, spanning multiple industries,” XLab noted. “Its primary targets have been located in regions such as China, the United States, Germany, the United Kingdom, and Hong Kong. The new samples support not only DDoS attacks but also Proxy functionality. As global law enforcement increases pressure on cybercrime, demand for anonymization services is rising.”
Source: TheHackerNews
Read more at Impreza News
