FortiGuard Labs observed the Mirai-based botnet variant “ShadowV2” spreading via multiple IoT vulnerabilities during a global AWS connectivity disruption, impacting devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK across many countries and industries. The campaign delivered a downloader (binary.sh) and the shadow-prefixed payloads (e.g., shadow.x86_64) connecting to the C2 silverpath.shadowstresser.info (81.88.18.108), and is assessed as likely a test run for future attacks. #ShadowV2 #DLinkDNS320
Keypoints
- ShadowV2, a Mirai-based botnet variant, was observed spreading by exploiting multiple known IoT vulnerabilities across vendors including D-Link, TP-Link, DD-WRT, DigiEver, and TBK.
- The campaign delivered a downloader (binary.sh) that fetched ShadowV2 payloads (prefixed “shadow”) from infrastructure resolving to silverpath.shadowstresser.info / 81.88.18.108.
- ShadowV2 x86-64 (shadow.x86_64) uses XOR (key 0x22) to decode its configuration, initializes DDoS attack methods, and connects to a C2 to receive commands.
- The malware supports UDP, TCP, and HTTP-based flooding methods (UDP floods, TCP SYN/ACK variants, and HTTP-level floods) and maps these to internal attack function IDs.
- Activity was global, affecting multiple countries and seven industry sectors, and appears to have coincided with a large-scale AWS outage—likely a test run rather than a sustained campaign.
- Fortinet protections (AV signatures, IPS rules, Web Filtering, and IP reputation/Anti-Botnet services) detect and block the described components and exploitation attempts.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – ShadowV2 propagation exploited multiple device vulnerabilities to gain execution on IoT systems (‘spreads a downloader script binary.sh by exploiting multiple vulnerabilities and delivers the “ShadowV2” malware’)
- [T1105 ] Ingress Tool Transfer – Attacker delivered a downloader (binary.sh) and fetched the ShadowV2 payload to the compromised device (‘spreads a downloader script binary.sh by exploiting multiple vulnerabilities and delivers the “ShadowV2” malware’)
- [T1059.004 ] Unix Shell – Use of shell-based downloader and execution of scripts/binaries on IoT devices (‘spreads a downloader script binary.sh’)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Malware connects to C2 over HTTP and uses HTTP-level communication to receive commands (‘connects to a C2 server to receive commands that trigger DDoS attacks’)
- [T1095 ] Non-Application Layer Protocol – Malware implements transport-layer attack methods and uses raw TCP/UDP floods as part of DDoS capabilities (‘supports two transport-layer protocols (UDP and TCP)’)
- [T1499 ] Network Denial of Service – ShadowV2 executes DDoS operations including UDP floods, TCP variants, and HTTP-level floods mapped to internal attack methods (‘implemented attack methods including UDP floods, several TCP-based floods, and HTTP-level floods’)
Indicators of Compromise
- [Domains / Hosts ] C2 and infrastructure – silverpath.shadowstresser.info, 81[.]88[.]18[.]108 (C2); 198[.]199[.]72[.]27 (delivery host)
- [File hashes ] Downloader and payload – 7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a (Downloader), 408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffedfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f836f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b65b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739fbb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df7424ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b6980ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf222aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3 (ShadowV2 payload)
- [File names ] Executables / scripts – binary.sh (downloader script), shadow.x86_64 (payload binary)