ShadowV2 and AWS: The Rise of Cloud-Native DDoS-for-Hire Attacks

Cybercrime continues to evolve as malicious actors adopt cloud-native technologies to expand the reach and sophistication of their operations. 

In September 2025, researchers at Darktrace reported on ShadowV2, a botnet exploiting misconfigured Docker containers on Amazon Web Services (AWS) to deliver distributed denial-of-service (DDoS) attacks as a for-hire service. 

Unlike traditional botnets, ShadowV2 integrates modern development frameworks, containerization, and modular command structures, making it a more advanced cybercrime-as-a-service platform.

Outlining the attack architecture

At the core of the ShadowV2 campaign lies a Python-based command-and-control (C2) framework hosted on GitHub Codespaces. 

Darktrace researchers identified that the malware spreads via a Python-based module that scans for exposed Docker daemons, particularly on AWS Elastic Compute Cloud (EC2) instances. 

Instead of deploying pre-built images, the attackers first launch a generic Ubuntu container, install tools, and then build a custom image directly on the victim system. This unusual approach may be designed to reduce forensic artifacts left behind on compromised machines.

The final payload is a Go-based Remote Access Trojan (RAT), executed inside the container. This binary communicates with its C2 infrastructure—shadow.aurozacloud[.]xyz—via HTTP, sending heartbeat messages and polling for new commands. Each infected instance is uniquely identified, ensuring persistence even after re-infection or system restarts.

What sets ShadowV2 apart is its sophisticated attack toolkit. The botnet can conduct large-scale HTTP floods, HTTP/2 rapid reset attacks, and even attempts to bypass Cloudflare’s “Under Attack Mode” (UAM) using a bundled ChromeDP tool to solve JavaScript challenges.

Although this UAM bypass is unlikely to succeed consistently due to headless browser detection, its inclusion reflects a growing emphasis on layered evasion techniques.

The HTTP/2 rapid reset capability is particularly concerning. By sending and canceling thousands of HTTP requests over a single connection, the malware maximizes server resource consumption, enabling highly efficient denial-of-service conditions. This method highlights the trend of attackers weaponizing legitimate protocols to achieve amplification effects.

ShadowV2 as a service

ShadowV2 appears to function as a structured “DDoS-for-Hire” platform. 

The C2 infrastructure incorporates FastAPI and Pydantic frameworks, supports a login panel, and exposes multiple API endpoints for operators. These endpoints allow the creation and management of users, configuration of attack types, and blocklisting of protected sites.

The interface resembles legitimate cloud applications, offering modular functionality and user-friendly management tools. This mirrors broader cybercrime-as-a-service trends, where threat actors develop scalable platforms that can be rented by customers with little technical expertise. As such, ShadowV2 represents not just a botnet, but an evolving marketplace for DDoS capabilities.

Broader context in DDoS trends

The disclosure of ShadowV2 coincides with a surge in large-scale DDoS activity worldwide. Cloudflare recently reported autonomously mitigating a record-setting attack that peaked at 22.2 terabits per second and 10.6 billion packets per second, lasting only 40 seconds.

Implications for cybersecurity teams

The emergence of ShadowV2 underscores the need for defenders to adapt strategies to cloud-native attack surfaces. 

Organizations must monitor container orchestration environments, enforce strict access controls on Docker APIs, and implement continuous behavioral analytics to detect anomalous activity. 

Moreover, security teams must treat botnets like ShadowV2 not merely as malware, but as platforms capable of scaling and evolving with the same agility as legitimate software services.

Effective defense requires visibility across workloads, timely patching of exposed services, and monitoring of API activity for misuse. Organizations can reduce this risk by using AWS security tools that help monitor container workloads and enforce best practices.

The presence of a fully developed operator interface highlights how cybercrime infrastructure increasingly mirrors enterprise-grade software, further blurring the line between legitimate cloud practices and malicious exploitation.

ShadowV2 represents a significant step forward in the commercialization of DDoS-as-a-service operations. By integrating Python and Go-based modules, containerized deployment strategies, and API-driven operator interfaces, it demonstrates how threat actors adapt cloud-native technologies for criminal purposes.