{"id":14841,"date":"2025-09-23T12:26:32","date_gmt":"2025-09-23T12:26:32","guid":{"rendered":"https:\/\/newestek.com\/?p=14841"},"modified":"2025-09-23T12:26:32","modified_gmt":"2025-09-23T12:26:32","slug":"shadowv2-turns-ddos-into-a-cloud-native-subscription-service","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14841","title":{"rendered":"ShadowV2 turns DDoS into a cloud-native subscription service"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A novel ShadowV2 bot campaign is turning distributed denial-of-service (<a href=\"https:\/\/www.csoonline.com\/article\/571981\/ddos-attacks-definition-examples-and-techniques.html\">DDoS<\/a>) attacks into a full-blown for-hire business, blending old-school malware with cloud-native deployment.<\/p>\n<p>According to a Darktrace analysis shared with CSO ahead of its publication on Tuesday, the campaign exploits misconfigured Docker containers on AWS and weaponizes them for DDoS-as-a-service.<\/p>\n<p>What makes ShadowV2 stand out is its professionalized setup, which includes APIs, dashboards, operator logins, and even animated interfaces.<\/p>\n<p>\u201cThis is another reminder that cybercrime is no longer a side hustle, but an industry,\u201d said Shane Barney, CISO at Keeper Security. \u201cThreat actors are treating DDoS attacks like a business service, complete with APIs, dashboards, and user interfaces. This type of industrialization should be a wake-up call for defenders.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Exposed Docker becomes the doorway<\/h2>\n<p>Darktrace researchers found that ShadowV2 is entering through exposed Docker APIs on AWS EC2, turning cloud-native misconfigurations into a launchpad for DDoS. The attackers used the Python Docker SDK to talk to exposed Docker daemons.<\/p>\n<p>\u201cThis campaign targets exposed Docker daemons, specifically those running on AWS EC2,\u201d Darktrace researchers noted in a <a href=\"https:\/\/www.darktrace.com\/blog\/shadowv2-an-emerging-ddos-for-hire-botnet\" target=\"_blank\" rel=\"noreferrer noopener\">blog post<\/a>. \u201cDarktrace runs a number of honeypots across multiple cloud providers and has only observed attacks against honeypots running on AWS EC2. By default, Docker is not accessible to the internet; however, can be configured to allow external access.\u201d<\/p>\n<p>Instead of relying on prebuilt malicious images, the attackers build containers on the victim\u2019s machine itself. The exact rationale of the approach is unclear, though Darktrace researchers suggest it may have been a way to reduce forensic traces from importing a <a href=\"https:\/\/www.csoonline.com\/article\/4033018\/ransomware-goes-cloud-native-to-target-your-backup-infrastructure.html\">malicious container<\/a>.<\/p>\n<p>Once inside, the malware deploys a Go-based RAT that establishes persistence by phoning home every second, polling its operators for commands, and spinning up massive HTTP flood attacks. Attackers were also seen using advanced capabilities like HTTP\/2 rapid reset and Cloudflare\u2019s \u201c<a href=\"https:\/\/developers.cloudflare.com\/fundamentals\/reference\/under-attack-mode\/\">under attack mode<\/a>\u201d bypass for maximum disruption.<\/p>\n<p>Kevin Lim, senior director and head of security engineering (APAC) at Black Duck, explained, \u201cDDoS-as-a-service lowers the barrier of entry for hackers and enables even low-skilled actors to launch large-scale attacks with minimal effort. Misconfigured Docker environments will always be a prime target.\u201d Organizations must harden Docker environments, enforce least privilege, and integrate security earlier in the CI\/CD pipeline, he added.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>From botnet to business platform<\/h2>\n<p>ShadowV2 is not just malware, it is a marketplace. Darktrace uncovered a full operator interface built with Tailwind and FastAPI, complete with Swagger documentation, admin and user privilege tiers, blacklists, and modular attack options. The design mirrors legitimate SaaS platforms, featuring dashboards and animations that make DDoS as easy as clicking \u2018start\u2019.<\/p>\n<p>Jason Soroko, senior fellow at Sectigo, sees this as part of a broader criminal trend. \u201cThis research points to a maturing criminal market where specialization beats sprawl. The presence of an API and full UI turns botnet into a problem, which shifts detection from host indicators toward control plane behaviors,\u201d Soroko said.<\/p>\n<p>Rather than isolated campaigns, defenders now face products with roadmaps, feature upgrades, and customer support models, Soroko added. Darktrace researchers echoed Soroko\u2019s concerns, adding that countering ShadowV2 would need a layered approach including deep visibility into containerized environments, and behavioral analytics to flag anomalies in Docker APIs and container orchestration activity.<\/p>\n<p>Misconfigured containers remain a go-to target, as seen in the <a href=\"https:\/\/www.csoonline.com\/article\/4036655\/ecscape-new-aws-ecs-flaw-lets-containers-hijack-iam-roles-without-breaking-out.html\">ECScape flaw<\/a>, exposed <a href=\"https:\/\/www.csoonline.com\/article\/648756\/kubernetes-clusters-under-attack-in-hundreds-of-organizations.html\">Kubernetes APIs<\/a>, and the <a href=\"https:\/\/www.csoonline.com\/article\/646165\/worm-attack-silentblob-targets-multiple-cloud-technologies.html\">Silentbob<\/a> worm attack, all showing how small oversights can expose DevOps to large-scale attacks.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A novel ShadowV2 bot campaign is turning distributed denial-of-service (DDoS) attacks into a full-blown for-hire business, blending old-school malware with cloud-native deployment. According to a Darktrace analysis shared with CSO ahead of its publication on Tuesday, the campaign exploits misconfigured Docker containers on AWS and weaponizes them for DDoS-as-a-service. What makes ShadowV2 stand out is its professionalized setup, which includes APIs, dashboards, operator logins, and&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14841\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14841","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14841"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14841\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}