A newly identified malware strain, dubbed ShadowV2, is spreading across more than 20 countries, exploiting vulnerable Internet of Things devices to build a global botnet. Researchers say the campaign, rooted in Mirai-based code, reflects a maturing ecosystem of cybercriminals who now rely on misconfigured consumer hardware to power increasingly resilient attacks.
A Botnet Emerges Amid Global Disruption
When a major AWS connectivity outage struck in late October 2025, it briefly shook digital infrastructure across continents. According to researchers at FortiGuard Labs, the moment may have provided cover for cybercriminals testing a more ambitious project: a revamped IoT botnet variant they call ShadowV2.
The malware surfaced in the weeks that followed, targeting routers, DVRs, network-attached storage systems, and enterprise-adjacent IoT hardware. ShadowV2, built on the foundation of the long-running Mirai LZRD variant, signals an evolution in tactics—one in which familiar codebases are enhanced for greater persistence, stealth, and command-and-control reliability.
The discovery, researchers say, underscores a broader trend: botnet operators are no longer simply hijacking devices opportunistically but strategically exploiting an entrenched landscape of neglected IoT endpoints.
Mapping the Spread of a Global Campaign
By early November, FortiGuard’s sensors had detected ShadowV2 infections across North and South America, Europe, Africa, Asia, and Australia. The patterns pointed to a coordinated wave of exploitation, with attacks observed in sectors ranging from telecommunications and manufacturing to education and government networks.
The campaign’s reach is tied to the ubiquity of the devices it targets. Many belong to widely deployed product lines—TP-Link Archer routers, D-Link DNS-320 systems, TBK DVRs, and DigiEver monitoring equipment. In many regions, such hardware forms the backbone of small-business and household networks, often running outdated firmware and placed behind minimal segmentation.
Researchers note that ShadowV2 does not rely on a single flaw. Instead, it chains together a set of long-catalogued vulnerabilities, including arbitrary command execution and buffer overflow weaknesses, to gain initial access. That multiplicity of entry points allows the botnet to advance even when partial remediation measures are in place.
Inside the Malware’s Design
Technical analysis shows that ShadowV2 is engineered with a focus on flexibility and resilience. Once deployed, it identifies itself with the string “ShadowV2 Build v1.0.0 IoT version,” signaling an iteration optimized for embedded hardware. Its configuration files, XOR-encoded with a simple 0x22 key, include system paths, HTTP headers, and spoofed browser user-agent strings to obfuscate outbound traffic.
Persistence is immediate. The malware waits for instructions to launch distributed denial-of-service attacks, supporting UDP, TCP, and HTTP-based traffic floods that can overwhelm high-bandwidth targets.
To maintain communication with its operators, ShadowV2 cycles through a layered command-and-control structure. A downloader script retrieves the primary payload from a host server at 81.88.18.108, after which the botnet attempts to reach another domain, silverpath.shadowstresser.info. If DNS fails—whether by coincidence or intervention—the malware falls back to the same hardcoded IP address, ensuring continuity.
This redundancy, researchers say, suggests that ShadowV2’s developers anticipated takedowns and designed the infrastructure accordingly.
A Growing Risk for Unpatched Networks
Security teams examining the infections conclude that the campaign is likely to expand unless organizations apply firmware updates and segment internal networks more aggressively. In many cases, compromised devices remain fully functional from the user’s perspective, making detection difficult without traffic monitoring tools.
Fortinet researchers warn that ShadowV2 reflects a maturing pattern in cybercrime: a shift toward weaponizing the long-tail of unmaintained IoT hardware. As attackers refine their tactics, global exposure widens—not because of a single catastrophic vulnerability, but because millions of devices remain unpatched, unmonitored, and quietly accessible to anyone with a script and a target.
For now, FortiGuard’s protections detect and block the malware under several Mirai-related signatures. But researchers caution that ShadowV2’s operators are experimenting, expanding infrastructure, and preparing for larger-scale campaigns. The question, they note, is not whether the botnet will continue its spread—but how quickly defenders can adapt before the next iteration surfaces.
