A novel ShadowV2 bot campaign is turning distributed denial-of-service (DDoS) attacks into a full-blown for-hire business, blending old-school malware with cloud-native deployment.
According to a Darktrace analysis shared with CSO ahead of its publication on Tuesday, the campaign exploits misconfigured Docker containers on AWS and weaponizes them for DDoS-as-a-service.
What makes ShadowV2 stand out is its professionalized setup, which includes APIs, dashboards, operator logins, and even animated interfaces.
“This is another reminder that cybercrime is no longer a side hustle, but an industry,” said Shane Barney, CISO at Keeper Security. “Threat actors are treating DDoS attacks like a business service, complete with APIs, dashboards, and user interfaces. This type of industrialization should be a wake-up call for defenders.”
Exposed Docker becomes the doorway
Darktrace researchers found that ShadowV2 is entering through exposed Docker APIs on AWS EC2, turning cloud-native misconfigurations into a launchpad for DDoS. The attackers used the Python Docker SDK to talk to exposed Docker daemons.
“This campaign targets exposed Docker daemons, specifically those running on AWS EC2,” Darktrace researchers noted in a blog post. “Darktrace runs a number of honeypots across multiple cloud providers and has only observed attacks against honeypots running on AWS EC2. By default, Docker is not accessible to the internet; however, can be configured to allow external access.”
Instead of relying on prebuilt malicious images, the attackers build containers on the victim’s machine itself. The exact rationale of the approach is unclear, though Darktrace researchers suggest it may have been a way to reduce forensic traces from importing a malicious container.
Once inside, the malware deploys a Go-based RAT that establishes persistence by phoning home every second, polling its operators for commands, and spinning up massive HTTP flood attacks. Attackers were also seen using advanced capabilities like HTTP/2 rapid reset and Cloudflare’s “under attack mode” bypass for maximum disruption.
Kelvin Lim, senior director and head of security engineering (APAC) at Black Duck, explained, “DDoS-as-a-service lowers the barrier of entry for hackers and enables even low-skilled actors to launch large-scale attacks with minimal effort. Misconfigured Docker environments will always be a prime target.” Organizations must harden Docker environments, enforce least privilege, and integrate security earlier in the CI/CD pipeline, he added.
From botnet to business platform
ShadowV2 is not just malware, it is a marketplace. Darktrace uncovered a full operator interface built with Tailwind and FastAPI, complete with Swagger documentation, admin and user privilege tiers, blacklists, and modular attack options. The design mirrors legitimate SaaS platforms, featuring dashboards and animations that make DDoS as easy as clicking ‘start’.
Jason Soroko, senior fellow at Sectigo, sees this as part of a broader criminal trend. “This research points to a maturing criminal market where specialization beats sprawl. The presence of an API and full UI turns botnet into a problem, which shifts detection from host indicators toward control plane behaviors,” Soroko said.
Rather than isolated campaigns, defenders now face products with roadmaps, feature upgrades, and customer support models, Soroko added. Darktrace researchers echoed Soroko’s concerns, adding that countering ShadowV2 would need a layered approach including deep visibility into containerized environments, and behavioral analytics to flag anomalies in Docker APIs and container orchestration activity.
Misconfigured containers remain a go-to target, as seen in the ECScape flaw, exposed Kubernetes APIs, and the Silentbob worm attack, all showing how small oversights can expose DevOps to large-scale attacks.
No Responses