A new botnet, believed to be built on the foundations of the notorious Mirai malware, briefly appeared during the recent Amazon Web Services (AWS) outage, security researchers have reported. The incident has raised concerns that the botnet could return for a larger-scale attack in the future.
Brief emergence during AWS outage
Security experts from FortiGuard Labs revealed that the ShadowV2 botnet was active for no more than 15 hours during the AWS disruption. During this short window, it targeted vulnerabilities across devices from multiple manufacturers, including DD-WRT, D-Link, DigiEver, TBK, and TP-Link. The malware focused on creating a network of compromised devices, including routers, Wi-Fi access points, NAS boxes, DVRs, network video recorders, and other Internet of Things (IoT) hardware.
According to FortiGuard Labs, ShadowV2’s brief activity suggests it was conducting a trial run rather than executing a full-scale attack. “Its emergence likely served as a test run,” the researchers said, warning that the botnet is expected to resurface in the future.
Evolution from mirai
ShadowV2 is described as a cloud-native botnet that initially targeted AWS EC2 instances. However, it has since evolved to target multiple sectors, spanning technology, retail, hospitality, government, and telecommunications. The botnet has been observed in over two dozen countries, including the United States, Canada, the United Kingdom, China, Russia, and Saudi Arabia.
Mirai, the malware that inspired ShadowV2, became infamous for pioneering large-scale IoT botnets capable of crippling major websites and internet infrastructure worldwide. Like its predecessor, ShadowV2 is likely designed to scan the internet for vulnerable devices, brute-force credentials, infect devices, and use them to expand its network. It could be deployed to launch Distributed Denial-of-Service (DDoS) attacks or other disruptive campaigns.
Wider implications for cloud security
The emergence of ShadowV2 coincided with a separate, significant cyber incident in which Microsoft Azure was targeted by the “largest-ever” cloud-based DDoS attack. The Aisuru botnet carried out this assault, sometimes referred to as “Turbo Mirai,” which is also considered a descendant of the original Mirai malware.
While the total number of devices infected with ShadowV2 remains unknown, the botnet primarily targets IoT devices. Security researchers emphasise the need for organisations to stay vigilant and ensure all connected devices are regularly updated and protected against known vulnerabilities.
Cybersecurity experts warn that ShadowV2 represents the ongoing evolution of IoT malware, highlighting the persistent threat posed by botnets in a connected world. With its brief test run already observed globally, the botnet could be poised to return with greater impact.
