ShadowV2 Botnet Infects AWS Docker Containers to Launch DDoS Campaign

Darktrace’s latest investigation uncovered a novel campaign that blends traditional malware with modern DevOps technology. At the center of this operation lies a Python-based command-and-control (C2) framework hosted on GitHub CodeSpaces.

The threat actors leverage a multi-stage Docker deployment initiated by a Python spreader, followed by a Go-based Remote Access Trojan (RAT) that implements a RESTful registration and polling mechanism.

By marrying containerization and cloud-native tooling with advanced denial-of-service techniques, ShadowV2 elevates DDoS malware into a full-fledged botnet-as-a-service platform.

What sets ShadowV2 apart is the sophistication and scale of its toolkit. The campaign combines HTTP/2 rapid reset attacks, Cloudflare Under Attack Mode (UAM) bypass, and large-scale HTTP floods, illustrating a hybrid approach that merges volumetric DDoS with targeted exploitation of cloud infrastructure.

The inclusion of an OpenAPI specification—implemented via FastAPI and Pydantic—alongside a polished login panel and operator interface, indicates a service designed for multi-tenant use.

This level of polish reframes the operation not as a traditional botnet, but as a “DDoS-as-a-Service” platform, reflecting how modern malware increasingly mirrors legitimate cloud-native applications in both architecture and usability.

The HTTP/2 rapid reset method exploits the protocol’s multiplexing feature: thousands of request streams can be created within a single connection, then immediately canceled to free capacity for new streams.

This dramatically increases request rates per client, maximizes resource exhaustion on victim servers, and evades conventional flood mitigation.

For UAM bypass, the malware bundles a headless Chrome binary via ChromeDP to solve JavaScript challenges and retrieve clearance cookies—though effectiveness is limited by Cloudflare’s headless browser detection mechanisms.

Additional flags support random query strings, spoofed forwarding headers with randomized IPs, and unimplemented WordPress bypass routines.

Analysis of a ShadowV2 Attack

Initial Access

ShadowV2’s initial compromise vector targets exposed Docker daemons on AWS EC2 instances. Darktrace honeypots recorded Python Docker SDK requests bearing a User-Agent: docker-sdk-python/7.1.0 header and a GitHub injected X-Meta-Source-Client: github/codespaces.

Connection attempts originated from Microsoft IPs in Singapore, consistent with GitHub CodeSpaces hosting.

By spawning a generic “setup” container that installs the RAT and DDoS binaries in an Ubuntu environment, then imaging that container for deployment, the adversary likely aims to minimize external forensic artifacts.

Malware Behavior

Once deployed, the Docker container drops an ELF binary written in Go to /app/deployment. The unstripped binary phones home using environment-supplied MASTER_ADDR and VPS_NAME identifiers, generating a unique VPS_ID by concatenating the VPS name with a Unix timestamp.

Two persistent loops drive the implant: a one-second heartbeat POST to /api/vps/heartbeat, and a five-second GET poll to /api/vps/poll/<VPS_ID> for new commands.

Reverse engineering of two older malware versions submitted to VirusTotal in June and July revealed no prior detections, suggesting either opportunistic victim submissions or attacker testing.

Command payloads specify HTTP methods, attack IDs, target URLs and ports, thread counts, duration, and optional proxies.

The malware then spawns multiple threads executing Valyala’s fasthttp-based HTTP flood or HTTP/2 rapid reset attacks against specified targets. In one instance, researchers intercepted a 120-thread HTTP/2 rapid reset assault targeting an Amsterdam VPS.

API and C2 Infrastructure

The malware’s RESTful C2—hosted behind Cloudflare and likely running on GitHub CodeSpaces—exposes an extensive API documented via an OpenAPI spec, now retracted from public view.

Defenders must adapt by gaining deep visibility into container orchestration processes, enforcing strict access controls on Docker API, and continuously monitoring cloud workloads with behavioral analytics tuned to anomalous API usage and network patterns.

Available endpoints support user authentication, privilege distinctions, attack initiation, and zombie host management.

The presence of an admin-only user-creation endpoint, attack-start endpoint requiring explicit zombie lists, and blacklist management functionality underscores a multi-tenant, commercialized DDoS-for-hire model rather than a purely criminal underground botnet.

ShadowV2 exemplifies the evolution of cybercrime-as-a-service, leveraging containerization, cloud DevOps platforms, and a fully developed API and user interface to deliver on-demand DDoS capabilities.

Recognizing these campaigns as modular, service-based threats—not isolated malware strains—will be critical to preempting future iterations of ShadowV2 and similar botnet platforms.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.