Once inside, the malware deploys a Go-based RAT that establishes persistence by phoning home every second, polling its operators for commands, and spinning up massive HTTP flood attacks. Attackers were also seen using advanced capabilities like HTTP/2 rapid reset and Cloudflare’s “under attack mode” bypass for maximum disruption.
Kelvin Lim, senior director and head of security engineering (APAC) at Black Duck, explained, “DDoS-as-a-service lowers the barrier of entry for hackers and enables even low-skilled actors to launch large-scale attacks with minimal effort. Misconfigured Docker environments will always be a prime target.” Organizations must harden Docker environments, enforce least privilege, and integrate security earlier in the CI/CD pipeline, he added.
From botnet to business platform
ShadowV2 is not just malware, it is a marketplace. Darktrace uncovered a full operator interface built with Tailwind and FastAPI, complete with Swagger documentation, admin and user privilege tiers, blacklists, and modular attack options. The design mirrors legitimate SaaS platforms, featuring dashboards and animations that make DDoS as easy as clicking ‘start’.
Jason Soroko, senior fellow at Sectigo, sees this as part of a broader criminal trend. “This research points to a maturing criminal market where specialization beats sprawl. The presence of an API and full UI turns botnet into a problem, which shifts detection from host indicators toward control plane behaviors,” Soroko said.
