A new malicious campaign, ShadowV2, is picking up Internet of Things (IoT) devices worldwide, based on a recent report from FortiGuard Labs.
The botnet variant, based on Mirai, was first detected at the end of October 2025, during a major AWS connectivity outage. This situation indicates that perpetrators might have taken the trouble caused by the disruption to verify their setup and infection method before issuing a series of bigger attacks.
Worldwide Exploitation of Unprotected IoT Devices
FortiGuard’s sensors have found numerous instances of ShadowV2-related attempts to break into different areas of the world and industries that comprise technology, telecommunications, manufacturing, education, and government networks.
The malware spreads through the exploitation of vulnerabilities in Internet of Things (IoT) device platforms that are popular and available in DD-WRT, D-Link, DigiEver, TBK, and TP-Link products.
The first D-Link DNS-320, and GO-RT-AC750 routers, DigiEver DS-2105 systems, TBK DVRs, and TP-Link Archer router series are among the devices that have been identified as vulnerable. Once the devices have been compromised, hackers control them remotely to carry out their malicious intentions.
The infections that were the root cause have gone back through the trace to various known security holes, for example, the ability to execute arbitrary commands, code execution, and buffer overflow vulnerabilities.
Upon a successful break-in, the malicious software employs a downloader script called binary.sh to get the main payload from the server at 81.88.18.108. Following this, ShadowV2 tries to establish contact with its control command centre, which is at silverpath.shadowstresser.info.
If DNS is unable to resolve this domain, the system connects to the same hardcoded IP address directly as a backup, thus ensuring an uninterrupted communication line with the attackers.
ShadowV2 events have been reported in the continents of North and South America, Europe, Africa, Asia, and Australia. By directing their efforts at more than 20 countries, the campaign has had the capability to affect unpatched and misconfigured IoT devices worldwide.
Explore ShadowV2 Malware and Its Functions
Examination reveals that the code of ShadowV2 borrows a lot from Mirai’s LZRD variant, but it has additional features aimed at increased survivability and control. On execution, it prints the message “ShadowV2 Build v1.0.0 IoT version,” signifying the very first version tailored for embedded IoT devices.
The config file is XOR-observed with the key 0x22. It also contains system paths, HTTP headers, and browser user-agent strings to pretend to be normal network requests.
After the infiltration, ShadowV2 regains its existence in the compromised system and follows the orders of its masters to start sending overwhelming traffic to the victims’ servers, thus making their systems inaccessible to legitimate users.
It can perform floods of various kinds, such as UDP, TCP, and HTTP-based attacks, thus threat actors have an option to overwhelm their intended victims with high-bandwidth traffic, leading to forced outages.
FortiGuard’s defence mechanisms are now capable of stopping and identifying this kind of behaviour through their antivirus and intrusion prevention signatures. The measures are classified under names like ELF/Mirai.A!tr, and Bash/Mirai.CIU!tr.dldr.
The detection of ShadowV2 is a sign that the use of compromised IoT ecosystems for botnet operations is on the rise, and that this is a trend that cybercriminals are taking maximum advantage of.
To lessen the risk of being targeted by a ShadowV2-style campaign, Fortinet researchers recommend that organisations take the following steps:
- Applying firmware updates without delay
- Checking IoT traffic for unusual activities
- Using strong network segmentation