ShadowV2 cloud-native DDoS botnet activity
Malware Activity
Summary
Hide ▲
Show ▼
The ShadowV2 DDoS-for-hire botnet is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets Internet-exposed Docker daemons on AWS EC2 and uses a setup-container workflow to hide inside legitimate-looking infrastructure. The platform supports HTTP/2 rapid resets, large-scale HTTP floods, and a Cloudflare UAM bypass, increasing its effectiveness against protected sites. Observed command activity shows the service is not just theoretical but in active use.
Related Happenings
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
First: 06.05.2026 23:21
Last: 06.05.2026 23:21
Sources 1
About this happening:
The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware ActivityAbout this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
ComfyUI cryptomining and proxy botnet campaign targeting exposed instances
Campaign
First: 07.04.2026 15:46
Last: 07.04.2026 15:46
Sources 1
About this happening:
An **active ComfyUI campaign** is scanning exposed instances, exploiting unsafe custom nodes, and enlisting compromised hosts into a **cryptomining and proxy botnet**. The operati...
ComfyUI cryptomining and proxy botnet campaign targeting exposed instances
CampaignAbout this happening: An **active ComfyUI campaign** is scanning exposed instances, exploiting unsafe custom nodes, and enlisting compromised hosts into a **cryptomining and proxy botnet**. The operati...
Kimwolf IoT botnet activity disrupting I2P
Malware Activity
First: 11.02.2026 18:08
Last: 11.02.2026 18:08
Sources 1
About this happening:
The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...
Kimwolf IoT botnet activity disrupting I2P
Malware ActivityAbout this happening: The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
VulnerabilityAbout this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
Latest development: 09.03.2026 23:45
Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
Timeline
-
23.09.2025 23:35 2 articles · 8mo ago
Darktrace uncovers ShadowV2 DDoS botnet
Initial DisclosureDarktrace identified ShadowV2 after activity hit its AWS EC2 honeypots, and subsequent analysis linked the botnet to Internet-exposed Docker daemons on AWS EC2, a setup-container deployment flow, OpenAPI-based controls, and DDoS functions including HTTP/2 rapid resets, large-scale HTTP floods, and a Cloudflare Under Attack Mode bypass. The analysis also found a Python script hosted on GitHub Codespaces using the Python Docker SDK to manage container deployment, configuration, and launching, and Darktrace said it observed commands to launch attacks against at least one website, showing active use.
Show sources
- Exposed Docker Daemons Fuel DDoS Botnet — www.darkreading.com — 23.09.2025 23:35
- Exposed Docker Daemons Fuel DDoS Botnet — www.darkreading.com — 23.09.2025 23:35