Full Report
A new Mirai-based botnet malware named 'ShadowV2' has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. [...]
Analysis Summary
# Tool/Technique: ShadowV2 Botnet
## Overview
ShadowV2 is a new botnet malware identified as being based on the Mirai malware family. It actively targets Internet of Things (IoT) devices, including those from D-Link, TP-Link, and other vendors, by exploiting known, unpatched vulnerabilities in their firmware. The malware's activity was notably observed during a major AWS outage, suggesting a possible test run.
## Technical Details
- Type: Malware (Botnet)
- Platform: IoT Devices (Routers, NAS devices, DVRs) from vendors including D-Link, TP-Link, DD-WRT, and DigiEver.
- Capabilities: Credential harvesting (implied by Mirai lineage), Distributed Denial of Service (DDoS) attacks supporting UDP, TCP, and HTTP flood types.
- First Seen: Observed during the major AWS outage in October (specific year implied to be 2025 based on article date).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on the malware's nature (IoT botnet leveraging vulnerabilities for remote execution/control) and known Mirai behavior.*
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- *Relevant CVEs exploited by ShadowV2:* CVE-2009-2765, CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915, CVE-2023-52163, CVE-2024-3721, CVE-2024-53375
- **TA0008 - Lateral Movement** (Implied, typical of botnets scanning for new victims)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (HTTP usage for downloaders/C2 communication)
## Functionality
### Core Capabilities
* **Infection Vector:** Leverages exploits for at least eight different vulnerabilities impacting various IoT product lines.
* **Delivery Mechanism:** Uses an initial access downloader script named **binary.sh** to retrieve the main malware payload from a Command and Control (C2) server.
* **Self-Identification:** Identifies itself as "ShadowV2 Build v1.0.0 IoT version."
* **DDoS Operations:** Supports launching distributed denial-of-service attacks across UDP, TCP, and HTTP protocols, utilizing various flood types.
### Advanced Features
* **Mirai Lineage:** Shares similarities with the **Mirai LZRD variant**, indicating reliance on common Mirai functionality such as brute-forcing or leveraging hardcoded credentials (though not explicitly detailed in the article).
* **Obfuscation:** Utilizes **XOR-encoding** for sensitive configuration data, including filesystem paths, User-Agent strings, HTTP headers, and Mirai-style strings, likely to hinder static analysis.
* **Global Reach:** Attacks were observed globally across North/South America, Europe, Africa, Asia, and Australia, targeting sectors like government, technology, and MSSPs.
## Indicators of Compromise
- File Hashes: [Not specified in the article]
- File Names: **binary.sh** (Downloader script)
- Registry Keys: [Not applicable/specified for Linux/IoT targets]
- Network Indicators:
- Initial Access/Source IP: 198[.]199[.]72[.]27 (Defanged)
- C2 Server IP (Downloader host): 81[.]88[.]18[.]108 (Defanged)
- Behavioral Indicators: Execution of a shell script downloader fetching subsequent payloads; presence of XOR-encoded configuration data structures typical of Mirai derivatives.
## Associated Threat Actors
* The specific threat actor behind ShadowV2 is **unknown**. The activity observed during the AWS outage is currently classified as a test run rather than a confirmed monetization campaign.
## Detection Methods
- Signature-based detection: Signatures targeting the identified C2 IPs or known binary file hashes (once released).
- Behavioral detection: Monitoring for the execution of shell scripts like `binary.sh` that attempt to download and run binaries designed for DDoS operations. Detection of suspicious XOR-encoded configuration blocks within processes.
- YARA rules: [Not available in the article]
## Mitigation Strategies
- Prevention measures: Immediately apply firmware updates for all targeted IoT devices (D-Link, TP-Link, etc.). Systems running End-of-Life (EoL) or End-of-Support firmware must be isolated or replaced, as vendors have confirmed they will not issue fixes (e.g., for certain D-Link CVEs).
- Hardening recommendations: Implement robust network segmentation for IoT devices, utilize strong, unique passwords (if applicable, to counter brute-force attempts), and monitor outbound traffic for high-volume UDP/TCP/HTTP requests symptomatic of DDoS initiation.
## Related Tools/Techniques
* **Mirai:** Directly stated as the base for ShadowV2, sharing functional resemblance to the **Mirai LZRD variant**.
* Other IoT Botnets utilizing vulnerability exploitation for initial access (e.g., Mozi, Gafgyt).