Darktrace has profiled ShadowV2, a new DDoS botnet that targets exposed Docker environments and monetizes access through a DDoS‑as‑a‑Service model. The campaign stands out for its use of mainstream DevOps tooling—most notably GitHub Codespaces—as control infrastructure and for emphasizing behavioral stealth over static indicators such as known images or fixed command‑and‑control hosts.
Why ShadowV2 is different: a platform approach to DDoS operations
Instead of a single hard‑coded command server, ShadowV2 operators deploy a Python‑based controller believed to run in GitHub Codespaces, shielded behind Cloudflare. Due to a misconfiguration, analysts retrieved the server’s API documentation and endpoint list, revealing multi‑tier authentication, role management, and attack constraints—features aligned with a commercial service rather than a one‑off botnet. In practice, clients rent access and manage their own attack jobs through an API, signaling a shift toward platformized DDoS orchestration.
Intrusion chain: from exposed Docker API to weaponized workload
The compromise begins with a Python script hosted in Codespaces that automates discovery and exploitation of Internet‑facing Docker API endpoints, including those on AWS instances. Rather than pulling a known image from Docker Hub, the actor launches a temporary “setup” container, installs tooling, builds a custom image, and deploys it as the runtime container. This on‑the‑fly build process minimizes signature overlap with public repositories and blunts simple deny‑lists or static IoCs.
Attack tooling: Go engine, FastHTTP, and Layer‑7 evasion
Inside the deployed container, researchers observed a Go binary that drives the attack traffic. It spins up multiple worker threads using configurable HTTP clients built on the Valyala FastHTTP library, optimized for high‑throughput requests, to conduct HTTP flood attacks. Evasion techniques include HTTP/2 Rapid Reset (CVE‑2023‑44487)—widely abused in 2023 per reports by Google, Cloudflare, and AWS—spoofing forwarding headers with randomized IPs, and bypass behaviors targeting Cloudflare’s Under Attack Mode (UAM). Samples were uploaded to VirusTotal on June 25 and July 30; initial submissions showed zero detections, underscoring the efficacy of the actor’s obfuscation and build pipeline.
DDoS-as-a-Service without a traditional centralized botnet
A key differentiator is ShadowV2’s customer‑facing API, through which paying users submit lists of already compromised nodes to enroll in an attack. This distribution model breaks from classic botnets where operators centrally manage all “zombie” hosts. Comparable abuse of cloud and CI/CD services has been observed historically, but a mature, role‑based platform with granular attack controls remains uncommon and raises the operational bar for defenders.
Detection priorities: behavior-led signals in cloud and CI/CD
With static indicators offering limited value, defenders should pivot to behavioral analytics across cloud and DevOps pipelines. High‑fidelity signals include anomalous Docker API calls, automated container lifecycle operations, ephemeral outbound connections to transient hosts, unusual egress spikes, and the sudden presence of high‑performance HTTP clients within containers. Prior campaigns by TeamTNT and Kinsing similarly began with exposed Docker sockets; Internet‑wide scans (Censys, Shodan) consistently find thousands of open Docker endpoints—providing a sizable attack surface.
Risk reduction: Docker hardening and network controls that matter
- Lock down the Docker API: disable the public TCP socket, prefer the UNIX socket, enforce TLS and authentication, and restrict access via AWS Security Groups and VPC network ACLs.
- Apply least privilege: use minimal base images, read‑only filesystems where possible, and integrity controls to prevent post‑deploy mutation.
- Monitor build and run events: alert on unexpected “setup” containers, ad‑hoc docker build invocations, and suspicious containerd operations.
- Constrain egress: enforce VPC/subnet egress policies, require authenticated proxies, and watch for high‑rate HTTP/2 traffic or Rapid Reset patterns.
- Harden the edge: enable rate limiting and Layer‑7 protections against HTTP flood, validate headers (including X‑Forwarded‑For), and require client verification where feasible.
- Continuously scan external exposure: routinely check Docker, Kubelet, Prometheus, Redis, and other high‑risk services for Internet reachability.
ShadowV2 illustrates how adversaries weaponize DevOps platforms to industrialize DDoS with a minimal signature footprint and flexible operations. Organizations should audit Docker and cloud access paths, adopt behavior‑based detection, and tighten egress and L7 controls. Proactive discovery of exposed services and automated monitoring of Docker API activity will help teams get ahead of the next iteration of platform‑driven botnets.
