ShadowV2 Casts a Shadow Over IoT Devices

Nov. 27, 2025, 9:34 a.m.

Description

A new Mirai variant called ShadowV2 has been observed spreading through IoT vulnerabilities during a global AWS disruption. The malware targeted multiple countries and industries worldwide, exploiting vulnerabilities in devices from vendors like DD-WRT, D-Link, Digiever, TBK, and TP-Link. ShadowV2 is designed for IoT devices and uses a XOR-encoded configuration to connect to a C2 server for receiving DDoS attack commands. The malware supports various attack methods, including UDP floods, TCP-based floods, and HTTP-level floods. This incident highlights the ongoing vulnerability of IoT devices and the need for timely firmware updates, robust security practices, and continuous threat monitoring.

External References

https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
https://otx.alienvault.com/pulse/6927ffd2068d6127f3387514
Tags
vulnerability
ddos
iot
botnet
mirai
c2
aws
CVE-2024-10914
CVE-2024-10915
CVE-2024-53375
CVE-2023-52163
CVE-2024-3721
shadowv2
CVE-2020-25506
2025-11-27
CVE-2009-2765
CVE-2022-37055

Date

  • Created: Nov. 27, 2025, 7:37 a.m.
  • Published: Nov. 27, 2025, 7:37 a.m.
  • Modified: Nov. 27, 2025, 9:34 a.m.

Indicators

  • dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83
  • cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2
  • c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3
  • c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2
  • bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74
  • 80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834
  • 7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a
  • 6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6
  • 5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30
  • 499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f
  • 24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69
  • 22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518
  • 0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe
  • 81.88.18.108
  • 198.199.72.27
  • silverpath.shadowstresser.info
Download all indicators here!

Attack Patterns

  • ShadowV2

Additional Informations

  • Retail
  • Hospitality
  • Technology
  • Education
  • Telecommunications
  • Government
  • Manufacturing
  • Croatia
  • Bolivia, Plurinational State of
  • Greece
  • Austria
  • Egypt
  • South Africa
  • Chile
  • Belgium
  • Czechia
  • Australia
  • Taiwan
  • Saudi Arabia
  • China
  • Netherlands
  • Italy
  • Thailand
  • Canada
  • Japan
  • France
  • Morocco
  • Kazakhstan
  • Philippines
  • Mexico
  • United Kingdom of Great Britain and Northern Ireland
  • Brazil
  • United States of America
  • Russian Federation

Linked vulnerabilities

CVE-2009-2765

None
Published:

CVE-2020-25506

None
Published:

CVE-2022-37055

None
Published:

CVE-2023-52163

5.9
    Digiever DS-2105 Pro
Published: February 3, 2025

CVE-2024-10914

8.1
    Dlink
  • Dns-320 Firmware
  • Dns-320
  • Dns-320lw Firmware
  • Dns-320lw
  • Dns-325 Firmware
  • Dns-325
  • Dns-340l Firmware
  • Dns-340l
Published: November 6, 2024

CVE-2024-10915

8.1
    Dlink
  • Dns-320 Firmware
  • Dns-320
  • Dns-320lw Firmware
  • Dns-320lw
  • Dns-325 Firmware
  • Dns-325
  • Dns-340l Firmware
  • Dns-340l
Published: November 6, 2024

CVE-2024-3721

None
Published:

CVE-2024-53375

8.0
    TP-Link Archer series routers
    TP-Link Deco series routers
    TP-Link Tapo series routers
Published: December 2, 2024