Full Report
Even worse, it might have been a 'test run' for future attacks A Mirai-based botnet named ShadowV2 emerged during last October's widespread AWS outage, infecting IoT devices across industries and continents, likely serving as a "test run" for future attacks, according to Fortinet's FortiGuard Labs.…
Analysis Summary
# Incident Report: ShadowV2 Mirai Botnet Emergence During AWS Outage
## Executive Summary
A Mirai-based botnet variant named ShadowV2 emerged in October, exploiting vulnerabilities in various IoT devices across 28 countries. The malware campaign, which coincided with a widespread AWS outage, is suspected by Fortinet to have served as a "test run" for future, larger-scale attacks. The impact was primarily the creation of a large, remotely controllable zombie network, though the malicious activity was limited while the AWS outage persisted.
## Incident Details
- Discovery Date: November 26, 2025 (Date of Fortinet report)
- Incident Date: October (Timeframe of the widespread AWS outage and botnet activity)
- Affected Organization: Numerous organizations across various sectors globally.
- Sector: Technology, Retail and Hospitality, Manufacturing, Managed Security Service Providers, Government, Telecommunication and Carrier Services, and Education.
- Geography: 28 countries, including US, Canada, UK, China, Japan, Australia, and others across the Americas, Europe, Africa, and Asia.
## Timeline of Events
### Initial Access
- Date/Time: During the widespread AWS outage in October.
- Vector: Exploitation of known vulnerabilities in vulnerable IoT devices from multiple vendors.
- Details: Attackers used vulnerabilities affecting DD-WRT, D-Link, DigiEver, TBK, and TP-Link devices. The infection process involved dropping a downloader script (`binary.sh`), which subsequently delivered the ShadowV2 malware binaries (prefixed "shadow") sourced from Command and Control (C2) server 81[.]88[.]18[.]108.
### Lateral Movement
- Details: ShadowV2 leveraged its IoT infection mechanism to rapidly scale its zombie network across continents.
### Data Exfiltration/Impact
- Details: The primary demonstrated capability was the ability to perform large-scale Distributed Denial of Service (DDoS) traffic-flooding events by controlling the infected IoT network. No specific data exfiltration was noted; the incident focused on botnet construction. (Activity was limited to the duration of the AWS outage).
### Detection & Response
- Detection: Detected and analyzed by Fortinet's FortiGuard Labs.
- Response Actions: Fortinet published a comprehensive list of Indicators of Compromise (IOCs) to assist partners and customers with threat hunting.
## Attack Methodology
- Initial Access: Exploitation of known IoT device vulnerabilities (e.g., CVE-2009-2765, CVE-2020-25506, etc.) to drop a downloader.
- Persistence: Not explicitly detailed, but typical Mirai variants establish persistence on compromised IoT devices.
- Privilege Escalation: Not specified, assumed leveraged by initial exploit chains targeting vulnerable firmware.
- Defense Evasion: Not specified, leveraging established botnet techniques.
- Credential Access: Not specified in the context of IoT device compromise.
- Discovery: Inherent capability of the botnet to enumerate available targets after initial infection.
- Lateral Movement: Propagated through exploitation to infect additional vulnerable IoT devices.
- Collection: Gathering control over infected devices into a C2-managed network.
- Exfiltration: Not the primary goal observed during this event; focused on DDoS readiness.
- Impact: Formation of a large, remotely controllable botnet capable of high-volume DDoS attacks.
## Impact Assessment
- Financial: Not quantified in the scope of the ShadowV2 activity itself, though the associated AWS outage caused widespread disruption.
- Data Breach: No specific customer or sensitive data breach reported; impact was device compromise.
- Operational: Creation of a large-scale global botnet affecting IoT devices across multiple critical sectors.
- Reputational: Highlights ongoing security weaknesses in the global IoT ecosystem.
## Indicators of Compromise
- Network Indicators (C2 Source): 81[.]88[.]18[.]108 (Defanged)
- File Indicators: Download script named `binary.sh`; Malware binaries prefixed with "shadow" (e.g., `shadow.bin`).
- Behavioral Indicators: Device exhibiting traffic patterns consistent with DDoS preparation or execution, connecting to known C2 infrastructure.
## Response Actions
- Containment Measures: Not explicitly detailed, but the primary containment mechanism observed was the cessation of malicious activity once the associated AWS outage ended.
- Eradication Steps: Fortinet advised threat hunting utilizing published IOCs. For compromised devices, standard remediation would involve firmware updates and factory resets.
- Recovery Actions: Updating firmware across all affected IoT hardware lines (DD-WRT, D-Link, etc.) to patch the exploited CVEs.
## Lessons Learned
- IoT devices remain a significant weak link in the broader cybersecurity landscape.
- Attackers utilize widespread infrastructure disruptions (like major cloud outages) as windows of opportunity to conduct large-scale botnet operations or tests, potentially masking their activity.
- The emergence of a "V1.0.0 IoT version" indicates active development and targeting toward embedded systems.
## Recommendations
- Immediately update firmware on all IoT devices, especially those from affected vendors (D-Link, TP-Link, etc.), to patch known vulnerabilities (especially those listed CVEs).
- Continuously monitor IoT device network traffic for anomalous or spammy outbound connections, particularly toward known threat actor infrastructure.
- Implement network segmentation to isolate IoT devices from critical internal resources.