An emerging DDoS for hire botnet

Sept. 25, 2025, 2:58 p.m.

Description

Darktrace uncovered a sophisticated cybercrime-as-a-service campaign utilizing Python and Go-based malware, Docker containerization, and a full operator UI. The attack combines DDoS techniques with targeted exploitation, featuring HTTP/2 rapid reset, Cloudflare UAM bypass, and large-scale HTTP floods. The infrastructure resembles a DDoS-as-a-service platform, mirroring legitimate cloud-native applications in design and usability. Initial access is gained through exposed Docker daemons on AWS EC2, with a multi-stage deployment process. The malware uses a Go-based RAT with RESTful communication and includes advanced evasion techniques. The campaign highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.

External References

https://www.darktrace.com/blog/shadowv2-an-emerging-ddos-for-hire-botnet
https://otx.alienvault.com/pulse/68d50961bdaecd67ba410220
Tags
python
botnet
docker
go
api
cloud-native
2025-09-25
shadowv2
cybercrime-as-a-service
containerization
ddos-as-a-service
http2

Date

  • Created: Sept. 25, 2025, 9:20 a.m.
  • Published: Sept. 25, 2025, 9:20 a.m.
  • Modified: Sept. 25, 2025, 2:58 p.m.

Attack Patterns

  • ShadowV2