ShadowV2 has been identified as a new DDoS-as-a-service platform that stands out for its use of cloud infrastructure. Instead of relying on home routers or compromised IoT devices, it exploits misconfigured Docker daemons running in public cloud environments. Many of these daemons were deployed on Amazon Web Services, but the same exposure exists across providers.
Earlier campaigns often relied on ad-hoc scripts. ShadowV2 takes a different form: a self-service portal where customers can run their own DDoS jobs. It provides attack configuration, real-time dashboards, and subscription plans – features that mirror those of legitimate SaaS products.
How the infections work
To grow, the botnet hunts for Docker APIs left open without authentication. When it finds one, it deploys containers that download the attacker’s images. Inside are binaries designed to run multiple DDoS attack types, from TCP and UDP floods to various amplification methods.
The advantage for operators is clear:
- Cloud workloads provide far greater bandwidth and CPU than IoT devices.
- Containers can be deployed and destroyed quickly, making takedown harder.
- Victims of the compromise are often billed for the attacker’s compute time.
Why is ShadowV2 different?
This is not the first time cloud misconfigurations have been abused for DDoS, but ShadowV2 is notable for how commercially packaged it is. Buyers don’t need technical knowledge — the platform abstracts away the attack scripts and replaces them with sliders, menus, and an automated payment flow.
The service demonstrates a shift: DDoS-for-hire operations no longer look like underground IRC bots, but instead like cloud dashboards designed for efficiency and scale. That lowers the entry barrier for anyone wanting to launch attacks.
Defensive considerations
Because ShadowV2 thrives on exposed Docker services, preventing these instances from being reachable on the internet is the most direct control.
Security teams should regularly audit their environments to confirm that container APIs are locked down. In cases where misconfigurations already exist, unusual outbound traffic can serve as an early warning — compromised containers generating floods will stand out from normal application behaviour. Detection is only part of the picture, however.
Cloud-hosted botnets are capable of sustaining higher rates for longer periods, so automated response and rapid mitigation at the network level become critical. When identified, reporting compromised containers to cloud providers can lead to swift removal, cutting off the attacker’s resources.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats. For more information, visit https://fastnetmon.com