During late October 2025, a new Mirai-derived botnet dubbed ShadowV2 was observed exploiting unpatched IoT devices across multiple sectors and 28 countries. While the activity lasted only a day, it underscores the ongoing risks posed by unsecured connected hardware.
Technical summary of the current ShadowV2 campaign
Industry research reports that ShadowV2 primarily targeted consumer and enterprise IoT devices from vendors including D-Link, TP-Link, DigiEver, TBK, and DD-WRT-based systems. Infection occurred through a set of known vulnerabilities, such as command injection and buffer overflow issues, enabling attackers to drop a downloader script (binary.sh) that retrieved device-specific binaries from a remote host.
Once installed, ShadowV2 mirrors aspects of the LZRD Mirai variant:
- XOR-encoded configuration file decrypted at runtime
- Contact with a command-and-control server for instructions
- Multiple DDoS vectors supported (UDP floods, TCP SYN floods)
- Obfuscation techniques to blend attack traffic with legitimate network activity
The botnet affected a diverse range of industries, including technology, retail, manufacturing, telecoms, education, and government, demonstrating how widespread unpatched devices remain a critical security weakness.
Geographic reach
Observed infections spanned 28 countries, including the US, Canada, UK, France, Italy, China, Japan, and Australia. While total device counts are not yet disclosed, the scale demonstrates the rapid mobilisation potential of IoT-targeting botnets.
Reference to previous ShadowV2 campaigns
Earlier in 2025, we reported ShadowV2 as a cloud-native, DDoS-as-a-service platform exploiting misconfigured Docker APIs on AWS and other cloud providers. That iteration allowed paying customers to launch DDoS attacks via a self-service portal, containerised malware, and subscription-based models — a notable shift from traditional botnet approaches.
While both campaigns share the ShadowV2 name, there is currently no confirmed technical link between the cloud-based and IoT-targeting versions:
- Target environments differ: cloud containers versus IoT devices
- Attack techniques and payload delivery mechanisms are distinct
- No shared command-and-control infrastructure has been documented
For more on the previously reported ShadowV2, read our earlier analysis of the cloud-based, pay-to-use DDoS platform here.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com