ShadowV2 Botnet Exploits Misconfigured Docker Containers for DDoS-for-Hire
September 25th, 2025
High
Our Cyber Threat Intelligence Unit has identified a new botnet, ShadowV2, actively exploiting misconfigured Docker daemons on AWS EC2 to build a cloud-native DDoS-for-hire platform. First seen in honeypots on June 24, 2025, ShadowV2 combines a Python-based spreader hosted on GitHub Codespaces with a Go ELF RAT running in containers. Operators interact via a FastAPI-powered control panel and APIs, allowing quick scaling of attacks. ShadowV2 is notable for its use of modern techniques, including using HTTP/2 Rapid Reset floods, bypassing Cloudflare protections with headless browser challenge-solving, and commercializing access through a modular subscription model. This campaign presents a high risk to organizations using Docker in cloud environments, leading to cloud resource abuse, financial costs, service disruptions, and attribution challenges.
Technical Details
Attack Type: Container exploitation → DDoS-for-hire botnet.
Severity: High.
Delivery Method: Python spreader breaching exposed Docker APIs, spawning Ubuntu containers, deploying Go RAT.
Infrastructure:
C2 domain: shadow.aurozacloud[.]xyz (fronted by Cloudflare).
API endpoints: /api/vps/heartbeat, /api/attack/start.
Hosted on GitHub Codespaces; implants use Go fasthttp.
Evasion & Techniques:
HTTP/2 Rapid Reset & large HTTP floods.
ChromeDP used to solve Cloudflare JS challenges and obtain clearance cookies.
Cloudflare-protected C2 complicates disruption.
Impact
Cloud Resource Hijacking: AWS EC2 Docker hosts are weaponized as attack nodes.
DDoS Amplification: HTTP/2 Rapid Reset increases attack volume and effectiveness.
Financial Burden: Unexpected compute/egress charges and remediation overhead.
Collateral Risk: Shared tenants/services degraded by container attack traffic.
Crime-as-a-Service Growth: API-driven model lowers entry barrier for non-technical actors.
Attribution Difficulty: Cloudflare fronting and scripted bypass hinder takedown efforts.
Detection Method
Network & API Logs: Unauthorized Docker API access from Codespaces IPs, esp. with docker-sdk-python/7.1.0 UA and X-Meta-Source-Client: github/codespaces.
Container Behavior: Generic Ubuntu containers with unusual package installs and live image creation.
Traffic Analysis: Outbound connections to shadow.aurozacloud[.]xyz, HTTP/2 Rapid Reset flood signatures, clearance-cookie activity from headless browsers.
Operator Activity: REST API calls consistent with attack orchestration.
Threat Hunting: Apply Darktrace-published YARA rules for ShadowV2 samples.
Indicators of Compromise
Type | Indicator |
File Hash – SHA-256 | 2462467c89b4a62619d0b2957b21876dc4871db41b5d5fe230aa7ad107504c99 |
File Hash – SHA-256 | 1b552d19a3083572bc433714dfbc2b75eb6930a644696dedd600f9bd755042f6 |
File Hash – SHA-256 | 1f70c78c018175a3e4fa2b3822f1a3bd48a3b923d1fbdeaa5446960ca8133e9c |
Domain | shadow.aurozacloud[.]xyz |
IP Address | 23.97.62[.]139 |
IP Address | 23.97.62[.]136 |
API Path | /api/vps/heartbeat |
API Path | /api/attack/start |
Recommendations
Harden Docker APIs: Disable public exposure, enforce authentication.
Runtime Controls: Allow only approved container images; block ad-hoc builds.
Egress Restrictions: Apply IP/DNS allow-lists for critical workloads.
DDoS Detection Tuning: Deploy rules for HTTP/2 Rapid Reset floods and headless-browser activity.
Developer Platform Monitoring: Track abnormal use of GitHub Codespaces as C2.
IOC Integration: Add provided hashes, domains, IPs, and API paths into SIEM/EDR for proactive detection.
Conclusion
ShadowV2 showcases the growing weaponization of cloud misconfigurations as commercial DDoS tools. By leveraging container exploitation, advanced HTTP/2 attack methods, and resilient C2 infrastructure protected by Cloudflare, ShadowV2 remains a persistent and evasive threat. We urge organizations to secure Docker APIs promptly, monitor for unusual container activity, and enforce strict egress controls to stop their infrastructure from being hijacked.