Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShadowV2 Mirai-based IoT botnet activity

Malware Activity
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

The Mirai-based botnet ShadowV2 was observed targeting IoT devices from D-Link, TP-Link, and other vendors, creating DDoS risk across exposed systems. Researchers linked the activity to known vulnerabilities, a downloader script, and command-driven attacks over UDP, TCP, and HTTP. The botnet was seen during the October AWS outage window and appears to have been active only briefly, which may indicate a test run.

Related Happenings

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

TBK DVR command injection flaw actively exploited (CVE-2024-3721)

Vulnerability
First: 20.04.2026 16:01 Last: 20.04.2026 16:01 Sources 1

About this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

Open Happening

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Open Happening

Timeline

  1. 27.11.2025 00:24 2 articles · 6mo ago

    ShadowV2 observed targeting IoT devices during the October AWS outage

    Initial Disclosure

    FortiGuard Labs researchers observed the Mirai-based botnet ShadowV2 targeting D-Link, TP-Link, and other IoT devices during the major AWS outage in October, and the activity was active only for the outage window, suggesting a possible test run. The botnet spread by leveraging at least eight known vulnerabilities across DD-WRT, D-Link, DigiEver, TBK, and TP-Link devices, originated from 198[.]199[.]72[.]27, and used a downloader script, binary.sh, to fetch payloads from 81[.]88[.]18[.]108. ShadowV2 identifies itself as "ShadowV2 Build v1.0.0 IoT version," supports DDoS attacks over UDP, TCP, and HTTP, and Fortinet shared IoCs to help defenders identify exposed devices, including end-of-life D-Link models that will not receive firmware fixes and TP-Link systems associated with CVE-2024-53375.

    Show sources
    Open in new tab