A research team at FortiGuard Labs has identified a new Mirai-based IoT botnet named ShadowV2, which weaponizes routers, network video recorders (NVRs) and NAS systems for large-scale DDoS attacks. The botnet exploits at least eight known vulnerabilities in products from D-Link, TP-Link and several other vendors, posing a threat to both home networks and enterprise infrastructure.
ShadowV2 botnet activity linked to October 2024 AWS outage
According to FortiGuard Labs, ShadowV2 activity was first observed during a major AWS cloud platform incident in October 2024. The botnet’s traffic appeared only during this disruption and then disappeared, suggesting a limited, time‑boxed test run of the attacker’s infrastructure rather than a long-term campaign.
Attack traffic originated from a single IP address, 198[.]199[.]72[.]27, and targeted routers, NAS appliances and video recorders across various network segments. The controlled and narrow operational window indicates a pre‑planned trial of a new Mirai variant, potentially in preparation for larger, more sustained DDoS operations.
Exploited vulnerabilities in D-Link, TP-Link and other IoT devices
D-Link end-of-life routers as high-risk entry points
ShadowV2 heavily focuses on vulnerabilities in D-Link devices, many of which are already classified as End‑of‑Life (EoL) and no longer receive security patches. The botnet uses the following CVEs to gain remote access:
Exploited CVEs in D-Link devices:
– CVE-2020-25506
– CVE-2022-37055
– CVE-2024-10914
– CVE-2024-10915
The most critical is CVE-2024-10914, which enables remote command execution on outdated D-Link routers. The vendor has confirmed that no security updates will be released for some affected models because they have reached EoL status. This effectively leaves these devices as permanent, unpatchable entry points unless they are removed or tightly isolated.
A similar situation exists with CVE-2024-10915. D-Link updated its security advisory, added this new identifier and warned specifically about ShadowV2 activity. Users were reminded that EoL hardware no longer receives firmware updates and should be considered inherently high risk in any active network.
TP-Link and other vendors widen the attack surface
ShadowV2 does not rely solely on D-Link equipment. It chains multiple known vulnerabilities across different vendors to maximize its reach:
– CVE-2009-2765 – legacy devices running DD-WRT-based firmware;
– CVE-2023-52163 – DigiEver video recorders;
– CVE-2024-3721 – TBK devices;
– CVE-2024-53375 – TP-Link routers.
For CVE-2024-53375 in TP-Link routers, a beta firmware fix is reportedly available, but systems remain vulnerable until administrators deploy the update. This lag between patch availability and installation is a recurring weakness exploited by Mirai-style botnets worldwide.
Propagation method, Mirai lineage and DDoS capabilities
From a technical standpoint, ShadowV2 closely resembles the previously documented Mirai LZRD variant. Infection begins via a loader script named binary.sh, which is dropped onto a device after successful exploitation of one of the targeted CVEs. The script then retrieves the main payload from 81[.]88[.]18[.]108, installs it and enrolls the device into the botnet.
Once compromised, devices receive commands from the attacker’s command-and-control (C2) infrastructure and are used to generate DDoS traffic over UDP, TCP and HTTP. Multiple flood techniques are implemented for each protocol, making traffic filtering more challenging for defenders. Historically, Mirai-based botnets have been responsible for some of the largest recorded DDoS incidents, including the 2016 attack on DNS provider Dyn that disrupted major online services across the globe.
Global distribution and affected industry sectors
FortiGuard Labs detected ShadowV2 exploitation attempts in 28 countries, including Canada, the United States, Mexico, Brazil, Chile, the United Kingdom, several EU states, Russia, Kazakhstan, Middle Eastern countries, China, Japan, Taiwan, the Philippines and Australia. This broad distribution is typical for IoT botnets, which opportunistically scan the entire internet for exposed devices.
The attacks impacted organizations in at least seven sectors: government, technology, manufacturing, managed security service providers (MSSPs), telecommunications and education, among others. This confirms that the threat is not limited to consumer environments; poorly maintained IoT devices can compromise critical business operations and service availability.
Why ShadowV2 is a warning signal for IoT security strategies
ShadowV2 reinforces a long-standing pattern: old vulnerabilities and unsupported devices continue to be prime fuel for IoT botnets. Mirai’s source code has been public since 2016, enabling countless derivatives, yet many organizations still operate internet‑facing equipment with years‑old unpatched flaws.
IoT hardware typically has a longer physical lifespan than its support window. When vendors declare devices EoL, they often remain deployed for years in homes, SMEs and even critical infrastructure. Without segmentation or replacement, these systems become persistent footholds for attackers and are easily conscripted into DDoS botnets like ShadowV2.
FortiGuard Labs has published indicators of compromise (IoCs) to help security teams detect and block ShadowV2 activity. Incorporating these IoCs into intrusion detection systems (IDS), SIEM platforms and network monitoring tools is an essential step in early detection and response.
ShadowV2 is a reminder that securing IoT ecosystems requires disciplined basics: keep router, camera, NVR and NAS firmware up to date; retire EoL devices instead of leaving them online; disable remote administration from the internet; segment IoT networks away from critical systems; and regularly review vendor advisories and threat intelligence reports. Organizations and home users that adopt these practices make it significantly harder for operators of Mirai-like botnets to turn everyday devices into engines for disruptive DDoS attacks.
