A new malware strain named ShadowV2 has emerged rapidly, aggressively exploiting Internet of Things (IoT) device vulnerabilities to build botnets for distributed denial-of-service (DDoS) attacks. First detected in late October 2025, its swift deployment across multiple industries and regions suggests a coordinated effort, potentially as a “test run” to assess its disruptive capabilities.
The sophisticated threat has already impacted organizations in the technology, education, and retail sectors across the United States, Europe, and Asia. This widespread infection underscores the persistent security risks posed by unsecured connected devices within enterprise networks, highlighting the urgent need for better IoT management and security practices.
ShadowV2 Exploits IoT Vulnerabilities for DDoS Attacks
Security analysts at Fortinet have pinpointed ShadowV2’s methodology, revealing that it targets established, unpatched security flaws in routers and DVRs from prominent vendors such as D-Link and TP-Link. These vulnerabilities, some dating back years, represent known weaknesses that attackers are leveraging against organizations that have failed to implement timely firmware updates.
The attack chain is initiated when a vulnerable device is compelled to download a script named binary.sh. This script originates from a remote server located at the IP address 81.88.18.108. The script’s primary function is to intelligently detect the host device’s underlying architecture, whether it be ARM, MIPS, or x86. Based on this detection, it fetches the appropriate malware payload, ensuring successful execution on the compromised IoT device.
Technical Breakdown of the ShadowV2 Malware
Technically, ShadowV2 shares similarities in its architecture with the LZRD Mirai variant. However, it distinguishes itself through unique obfuscation techniques employed to conceal its operations. Upon execution, the malware utilizes a straightforward XOR cipher, with the specific key 0x22, to decrypt its embedded configuration data.
| Vendor | CVE ID | Vulnerability Details |
| DDWRT | CVE-2009-2765 | HTTP Daemon Arbitrary Command Execution |
| D-Link | CVE-2020-25506 | ShareCenter CGI Code Execution |
| D-Link | CVE-2022-37055 | Buffer Overflow in HNAP Main |
| D-Link | CVE-2024-10914 | Account Manager Command Injection |
| D-Link | CVE-2024-10915 | Account Manager Command Injection |
| DigiEver | CVE-2023-52163 | Time Setup CGI Command Injection |
| TBK | CVE-2024-3721 | DVR Command Injection |
| TP-Link | CVE-2024-53375 | Archer Devices Command Injection |
This encrypted configuration contains critical information, including file paths like /proc/, and also features misleading User-Agent strings. These deceptive strings are designed to mask the malware’s traffic, making it appear as legitimate user activity to security monitoring systems.
Once the malware is successfully deployed and its configuration decrypted, it proceeds to establish communication with its command-and-control (C2) server. Through this channel, it awaits further instructions and attack orders. ShadowV2 is equipped to execute a variety of DDoS attack vectors, notably including UDP floods and TCP SYN floods. These attack types are mapped to specific internal function IDs within the malware, allowing for rapid and efficient execution against designated targets.
The emergence of ShadowV2 underscores the ongoing cybersecurity challenge presented by the vast and often unsecured IoT landscape. Organizations must prioritize comprehensive device inventory, regular patching of firmware, and robust network segmentation to mitigate the risks associated with these types of threats. The successful exploitation of older vulnerabilities indicates a critical gap in many organizations’ patch management strategies, leaving them susceptible to widespread disruption. Future efforts by threat actors are likely to focus on expanding their botnet capabilities by exploiting similar known and unknown vulnerabilities in an ever-growing array of connected devices.