ShadowV2 Botnet Uses Misconfigured Docker Containers for DDoS Attacks

Darktrace researchers have uncovered a new distributed denial-of-service (DDoS) botnet that exploits misconfigured Docker containers. Instead of operating like a conventional botnet, ShadowV2 sells access to infected systems, allowing clients to launch their own attacks.
A New Take on DDoS-as-a-Service
ShadowV2 breaks from the traditional model of for-hire DDoS services. The operators use a Python-based command server hosted on GitHub CodeSpaces and a sophisticated attack toolkit that blends traditional malware with modern DevOps techniques.
The infection chain begins with a Python script hosted on GitHub CodeSpaces. Attackers exploit internet-exposed Docker daemons, particularly those running on AWS instances. Unlike typical approaches that rely on prebuilt images from Docker Hub, the threat actors create a standard container, install tools inside it, then capture a customized image to deploy as the working container.

Inside the Malware
Researchers found that each container functions as a wrapper for a Go-based binary that evades detection by common antivirus platforms. Two versions of the malware were uploaded to VirusTotal—on June 25 and July 30—but remain undetected.
The malware launches multiple threads with customizable HTTP clients using the open-source Valyala Fast HTTP library, enabling high-performance HTTP flood attacks. It also employs advanced evasion techniques, including:
- HTTP/2 rapid reset
- Spoofed forwarding headers with randomized IP addresses
- Bypass methods for Cloudflare’s Under Attack Mode (UAM)

Command-and-Control and API Exposure
Although the malware’s command server is shielded by Cloudflare, analysts believe it is running on GitHub CodeSpaces. A misconfiguration allowed researchers to retrieve the server’s API documentation, exposing all available endpoints.
The custom API revealed a platform with authentication, role-based privileges, and restrictions on attack types. These findings confirmed that ShadowV2 is not just a botnet—it is a DDoS-as-a-service product.
Turning a Botnet Into a Platform
“The ShadowV2 operators do not launch attacks themselves—they have created a platform where clients rent access to the infected network and conduct their own DDoS campaigns,” explained Darktrace researchers.
Evidence suggests that clients must supply the API with a list of compromised systems to initiate an attack. In other words, ShadowV2 provides the infrastructure but leaves the campaign execution to paying users.
Implications for Defenders
Darktrace researchers warn that ShadowV2 represents a shift in detection strategy.
“The API and full-fledged interface turn this botnet into a genuine platform. This changes detection approaches—the focus now should be on looking for suspicious activity: strange Docker API calls, automated container operations, systematic outbound connections from temporary nodes. Defenders should view ShadowV2 as a commercial product with development plans—track modular updates, abuses of cloud services, and new rental models, rather than individual campaigns.”