Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShadowV2 botnet malware activity against AWS Docker containers

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

ShadowV2 is now being used as a DDoS-for-hire botnet that turns misconfigured Docker containers on AWS into attack nodes, increasing the risk of large-scale denial-of-service attacks. The malware was detected on June 24, 2025 and uses a Go-based payload to take control of infected systems. Its operator stack includes a Python-based C2 framework on GitHub Codespaces and tooling for HTTP/2 Rapid Reset and a Cloudflare UAM bypass. The combination of container abuse, remote command execution, and rental-style access makes the operation a scalable criminal service rather than a one-off infection.

Related Happenings

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

TeamPCP cloud-native exploitation campaign

Campaign
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **TeamPCP** is a **cloud-native supply-chain campaign** that abuses exposed **Docker APIs**, **Kubernetes clusters**, **Ray dashboards**, **Redis servers**, and **React2Shell (CVE...

Latest development: 23.03.2026 10:31

Researchers uncovered malicious Trivy Docker Hub image tags 0.69.4, 0.69.5, and 0.69.6 tied to TeamPCP; 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. The same reporting says TeamPCP used a compromised service account token to deface all 44 internal repositories in Aqua Security's aquasec-com GitHub organization by renaming them with the tpcp-docs- prefix and exposing them publicly.

Open Happening

React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)

Vulnerability
First: 09.02.2026 10:37 Last: 09.02.2026 10:37 Sources 1

About this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...

Latest development: 09.03.2026 23:45

Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.

Open Happening

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Open Happening

Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies

Campaign
First: 29.01.2026 16:55 Last: 29.01.2026 16:55 Sources 1

About this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...

Latest development: 20.03.2026 02:49

The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.

Open Happening

Timeline

  1. 23.09.2025 14:26 1 articles · 8mo ago

    ShadowV2 malware detected on AWS honeypots

    Detection Ioc Update

    Darktrace detected ShadowV2 malware targeting its honeypots on June 24, 2025, showing the botnet’s focus on misconfigured Docker containers on AWS cloud servers and its use of a Go-based payload to turn infected systems into DDoS attack nodes.

    Show sources
    Open in new tab
  2. 23.09.2025 14:26 2 articles · 8mo ago

    ShadowV2 disclosed as a DDoS-for-hire botnet

    Initial Disclosure

    Researchers disclosed ShadowV2 as a DDoS-for-hire botnet that targets misconfigured Docker containers on AWS EC2 and AWS cloud servers, stages a Python-based C2 framework on GitHub Codespaces, and combines a Python spreader, Go-based RAT, HTTP/2 Rapid Reset, Cloudflare Under Attack mode bypass attempts, and a FastAPI and Pydantic operator interface to support rental-style attacks.

    Show sources
    Open in new tab