Cybersecurity researchers at Fortinet’s FortiGuard Labs have identified a new Mirai-based botnet, dubbed ‘ShadowV2,’ which appears to have utilized the confusion surrounding a major AWS outage in October to conduct a global operational test. While the botnet was not responsible for the cloud outage, its activity window perfectly aligned with the downtime, suggesting the operators seized the moment to assess their capabilities with reduced visibility. The malware specifically targets Internet of Things (IoT) devices from vendors including D-Link, TP-Link, DD-WRT, DigiEver, and TBK, leveraging at least eight known vulnerabilities to compromise network equipment.
The most alarming aspect of the ShadowV2 campaign is its reliance on “zombie” hardware—devices that have reached their End-of-Life (EoL) and will never be patched. Specifically, the botnet exploits CVE-2024-10914 and CVE-2024-10915, command injection flaws found in older D-Link devices. Following inquiries regarding these flaws, D-Link confirmed that no fixes would be issued for the impacted models as they are no longer under development, leaving users permanently vulnerable unless the hardware is physically replaced. The malware also exploits a beta-patched flaw in TP-Link devices (CVE-2024-53375) and a legacy vulnerability in DD-WRT dating back to 2009.
Technical analysis reveals that the attacks originated from the IP address 198[.]199[.]72[.]27, utilizing a downloader script to fetch the malicious payload from a secondary server. Identifying itself as “ShadowV2 Build v1.0.0 IoT version,” the malware employs XOR-encoded configurations to mask its filesystem paths and utilizes a codebase similar to the Mirai LZRD variant. Once a device is compromised, it becomes part of a botnet capable of launching distributed denial-of-service (DDoS) attacks across UDP, TCP, and HTTP protocols.
The scope of this “test run” was extensive, impacting sectors including government, technology, manufacturing, telecommunications, and education across North and South America, Europe, Africa, Asia, and Australia. While the operators’ monetization strategy remains unclear, the sophisticated targeting of unpatchable legacy infrastructure indicates a strategy built on long-term persistence rather than quick, opportunistic strikes.
