A new Mirai-based botnet known as ShadowV2 has been detected, targeting IoT devices from brands like D-Link, TP-Link, and others by exploiting already known vulnerabilities.
According to researchers at Fortinet, this activity coincided with the major AWS outage in October. While there’s no evidence directly linking the two events, what stands out is that the botnet was only active during the disruption, suggesting that the attackers may have used the chaos as a kind of “live test.”
At TecnetOne, we are always vigilant against these emerging threats—anticipating them, understanding how they evolve, and reinforcing our clients’ security.
ShadowV2 has been spreading by exploiting at least eight different vulnerabilities in various IoT devices. The affected equipment includes products from manufacturers such as DD-WRT, D-Link, DigiEver, TBK, and TP-Link, with flaws ranging from long-standing issues to recently documented vulnerabilities.
Some of the most significant include:
DD-WRT – CVE-2009-2765
D-Link – CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
DigiEver – CVE-2023-52163
TBK – CVE-2024-3721
TP-Link – CVE-2024-53375
Among them, one of the most concerning is CVE-2024-10914, a command injection vulnerability affecting end-of-life D-Link devices. The manufacturer has confirmed that these models will not receive patches, leaving the flaw open indefinitely.
A similar situation applies to CVE-2024-10915. Although this vulnerability was documented in late 2024, the affected devices will also go unpatched. As an informative measure, D-Link updated an old bulletin to include this CVE and released a more recent one warning that unsupported devices will no longer receive firmware updates, leaving them easy targets for campaigns like ShadowV2.
In contrast, CVE-2024-53375, found in certain TP-Link models, did receive attention from the manufacturer and was addressed with a beta firmware update.
Various exploits used by ShadowV2 (Source: Fortinet)
Read more: ShadowPad Exploits Critical WSUS Flaw to Hijack Windows Servers
According to researchers at FortiGuard Labs, the ShadowV2 attacks originated from the IP address 198[.]199[.]72[.]27 and targeted routers, NAS devices, and DVRs used across seven different sectors, including government, technology, manufacturing, MSSPs, telecommunications, and education.
The reach was truly global. Attack attempts were recorded in nearly every region: North and South America, Europe, Africa, Asia, and even Australia.
The Global Impact of the Botnet (Source: Fortinet)
The malware identifies itself as “ShadowV2 Build v1.0.0 IoT version” and, according to researchers, shares many similarities with the Mirai LZRD variant.
The infection begins when a vulnerable device executes an initial stage via a download script (binary.sh), which retrieves the malicious file from a server hosted at 81[.]88[.]18[.]108.
Once inside, ShadowV2 uses XOR-encoded configurations to conceal system paths, user-agent strings, HTTP headers, and other elements typical of Mirai. This helps it evade detection and remain active without raising suspicion.
As for its capabilities, the malware can launch DDoS attacks using UDP, TCP, and HTTP protocols, offering different types of floods for each. The command-and-control (C2) infrastructure orchestrates everything, sending direct instructions to the bots to initiate attacks at will.
DDoS Attack Trigger (Source: Fortinet)
DDoS botnets typically generate revenue in two main ways: renting out their attack power to other cybercriminals or directly extorting their victims with the classic “pay or we keep attacking” threat. However, in the case of ShadowV2, it remains unclear who is behind it or what their monetization model is, adding an extra layer of uncertainty to the threat.
Recent analyses of this campaign have shared indicators of compromise (IoCs) to aid in detection, along with one key recommendation: always keep firmware up to date on IoT devices—especially those that no longer receive support or are nearing end-of-life.