Advanced ShadowV2 DDoS-as-a-service botnet operating in the cloud

Cybersecurity researchers have uncovered a sophisticated Distributed Denial-of-Service (DDoS) operation known as the ShadowV2 botnet, identified by security vendor Darktrace. This operation blurs the line between traditional malware and modern Software-as-a-Service (SaaS) platforms. ShadowV2 offers attackers a professional login panel and a polished user interface that mirrors legitimate cloud-native applications. The platform is built on a FastAPI and Pydantic backend, complete with OpenAPI documentation, and features a front-end styled with Tailwind CSS animations. It is marketed as an “advanced attack platform” and includes role-based access controls, user management, and blacklists for protected targets. Despite its main domain displaying a fake law enforcement seizure notice, the underlying application programming interface endpoints remain fully operational. ShadowV2 provides advanced DDoS techniques, including HTTP/2 rapid reset floods and Cloudflare’s “under attack mode” bypass, enabling attackers to generate significant traffic.

The operation runs on a Python-based command-and-control framework hosted in GitHub CodeSpaces, leveraging Microsoft’s global infrastructure to conceal its activities. Targets include exposed Docker daemons on Amazon Web Services (AWS) EC2 instances, indicating that the operators possess detailed knowledge of cloud workload deployments. Darktrace first detected attacks against its honeypots on June 24, with malware samples appearing shortly after on Google’s VirusTotal scanning site from sources in the United States and Canada. The sophistication of the software engineering is notable, employing environmental variables for configuration, RESTful APIs with one-second heartbeats for bot management, and modular design for rapid updates. By embedding their infrastructure within platforms like GitHub CodeSpaces, the operators complicate attribution and takedown efforts, raising the bar for defenders. Traditional signature-based security tools struggle against adversaries who adopt cloud-native architectures and professional development practices.