BURSTDuring late October 2025, a new malware campaign dubbed ShadowV2 emerged, coinciding with a global AWS disruption.
This sophisticated threat actively exploits vulnerabilities in IoT devices to assemble a botnet for distributed denial-of-service (DDoS) attacks.
The malware’s rapid deployment indicates a coordinated effort to harness compromised hardware for large-scale disruptive activities.
The infection spread swiftly across seven industries, including technology, education, and retail, impacting organizations in the United States, Europe, and Asia.
Experts believe this surge was likely a “test run” designed to evaluate the botnet’s potential for causing widespread service interruptions.
The widespread nature of the campaign highlights the persistent risks associated with unsecured connected devices in enterprise environments.
Fortinet security analysts identified the malware leveraging older, unpatched security flaws in routers and DVRs from vendors like D-Link and TP-Link.
By targeting these known weaknesses, the attackers successfully compromised numerous devices that organizations had failed to update with the latest firmware patches.
The attack chain initiates when a vulnerable device is forced to download a script named binary.sh from a remote server at 81.88.18.108.
.webp)
As seen in the above figure, this script automatically detects the host’s architecture—whether ARM, MIPS, or x86—and retrieves the corresponding malware payload to ensure successful execution.
Technical Analysis of ShadowV2
ShadowV2 mirrors the architecture of the “LZRD” Mirai variant but employs distinct obfuscation techniques. Upon launch, it utilizes a simple XOR cipher with the key 0x22 to decrypt its configuration.
| Vendor | CVE ID | Vulnerability Details |
|---|---|---|
| DDWRT | CVE-2009-2765 | HTTP Daemon Arbitrary Command Execution |
| D-Link | CVE-2020-25506 | ShareCenter CGI Code Execution |
| D-Link | CVE-2022-37055 | Buffer Overflow in HNAP Main |
| D-Link | CVE-2024-10914 | Account Manager Command Injection |
| D-Link | CVE-2024-10915 | Account Manager Command Injection |
| DigiEver | CVE-2023-52163 | Time Setup CGI Command Injection |
| TBK | CVE-2024-3721 | DVR Command Injection |
| TP-Link | CVE-2024-53375 | Archer Devices Command Injection |
This hidden data includes file paths, such as /proc/, and deceptive User-Agent strings intended to mask malicious traffic as legitimate user activity.
.webp)
Once active, the malware establishes contact with its command-and-control server to receive attack orders.
It supports multiple DDoS vectors, including UDP floods and TCP SYN floods, mapping these behaviors to specific internal function IDs for rapid deployment against targets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Actively Exploiting IoT Vulnerabilities to Deploy New ShadowV2 Malware appeared first on Cyber Security News.