{
	"id": "65d5eeb4-f13d-49a0-9184-6b23c276443d",
	"created_at": "2026-04-06T00:19:49.788385Z",
	"updated_at": "2026-04-10T13:11:26.547907Z",
	"deleted_at": null,
	"sha1_hash": "89bfea0c772b79d11d7f31caf6ba298d7039d320",
	"title": "ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2653251,
	"plain_text": "ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab\r\nBy Vincent Li\r\nPublished: 2025-11-26 · Archived: 2026-04-05 17:28:33 UTC\r\nAffected Platforms: DD-WRT 24 sp1, D-Link DNS-320 FW v2.06B01 Revision Ax, D-Link Go-RT-AC750\r\nGORTAC750_revA_v101b03, D-Link GO-RT-AC750_revB_FWv200b02, Digiever DS-2105 Pro 3.1.0.71-11,\r\nTBK DVR-4104, TBK DVR-4216, D-Link DNS-320, D-Link DNS-320LW, D-Link DNS-325, D-Link DNS-340L, TP-Link Archer router series\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: High\r\nAt the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named\r\n“ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and\r\nspanned seven different industries. So far, the malware appears to have only been active during the time of the\r\nlarge-scale AWS outage. We believe this activity was likely a test run conducted in preparation for future attacks.\r\nThe following sections provide a detailed analysis of these incidents and the ShadowV2 malware.\r\nIncidents\r\nFortinet sensors detected active exploitation attempts linked to a Mirai-based botnet known as ShadowV2. This\r\nvariant was propagating through multiple vulnerabilities identified and blocked by our Intrusion Prevention\r\nSystem (IPS). ShadowV2 had previously been observed targeting AWS EC2 instances in campaigns disclosed in\r\nSeptember.\r\nBased on our analysis, we believe that ShadowV2 was developed based on the architecture of an existing Mirai\r\nvariant and designed for IoT devices. It leveraged vulnerabilities affecting the following vendors’ products from\r\n198[.]199[.]72[.]27.\r\nDDWRT: CVE-2009-2765\r\nD-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915\r\nDigiEver: CVE-2023-52163\r\nTBK: CVE-2024-3721\r\nTP-Link: CVE-2024-53375\r\nFigure 1: DDWRT exploit traffic via CVE-2009-2765\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 1 of 12\n\nFigure 2: D-Link exploit traffic via CVE-2020-25506\r\nFigure 3: DigiEver exploit traffic via CVE-2023-52163\r\nFigure 4: TBK exploit traffic via CVE-2024-3721\r\nFigure 5: TP-Link exploit traffic via CVE-2024-53375\r\nThe affected countries are distributed globally, including:\r\nAmerica: Canada, United States, Mexico, Brazil, Bolivia, Chile\r\nEurope: United Kingdom, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece\r\nAfrica: Morocco, Egypt, South Africa\r\nAsia: Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines\r\nOceania: Australia\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 2 of 12\n\nFigure 6: Worldwide countries be affected by incidents\r\nWithin these countries, the compromised industries include technology, retail and hospitality, manufacturing,\r\nmanaged security services providers,  government, telecommunication and carrier services, and education.\r\nMalware Analysis\r\nThe attacker spreads a downloader script binary.sh by exploiting multiple vulnerabilities and delivers the\r\n“ShadowV2” malware, prefixed with “shadow,” from 81[.]88[.]18[.]108.\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 3 of 12\n\nFigure 7: Downloader script binary.sh\r\nShadowV2 is similar in structure to the classic Mirai variant LZRD. It initializes a XOR-encoded configuration\r\nand its attack methods, and connects to a C2 server to receive commands that trigger DDoS attacks. The following\r\nanalysis is based on the x86-64 (AMD64) build named shadow.x86_64.\r\nIt XOR-decodes its configurations using a single-byte key, 0x22. The decoded configurations contain file system\r\npaths, HTTP headers, and User-Agent strings.\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 4 of 12\n\nFigure 8: XOR-encoded configuration\r\n%””% lzrd cock fest /proc/\r\n/exe (deleted) /fd\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 5 of 12\n\n.anime /status dvrHelper\r\nNiGGeR69xd 1337SoraLOADER NiGGeRd0nks1337\r\nX19I239124UIU IuYgujeIqn 14Fa\r\nccAD /proc/net/route /proc/cpuinfo\r\nBOGOMIPS /etc/rc.d/rc.local g1abc4dmo35hnp2lie0kjf\r\n/dev/watchdog /dev/misc/watchdog /dev/FTWDT101_watchdog\r\n/dev/netslink/ PRIVMSG GETLOCALIP\r\nKILLATTK Eats8 v[0v\r\n93OfjHZ2z GhostWuzHere666 WsGA4@F6F\r\nACDB AbAd iaGv\r\nshell enable system\r\nsh /bin/busybox LZRD LZRD: applet not found\r\nncorrect /bin/busybox ps /bin/busybox kill -9\r\nTSource Engine Query /etc/resolv.conf nameserver\r\nConnection: keep-alive keep-alive setCookie('\r\nrefresh: location: set-cookie:\r\ncontent-length: transfer-encoding: chunked\r\nconnection: server: dosarrest server: cloudflare-nginx\r\nassword ogin enter\r\ndkaowjfirhiad1j3edjkai\r\nAccept: text/html,\r\napplication/xhtml+xml,\r\napplication/xml;q=0.9,\r\nimage/webp,*/*;\r\nAccept-Language: en-US,en;q=0.8\r\nContent-Type: application/x-www-form-urlencoded\r\nMozilla/5.0 (Windows NT 10.0;\r\nWOW64) AppleWebKit/537.36\r\n(KHTML, like Gecko)\r\nChrome/51.0.2704.103\r\nSafari/537.36\r\nMozilla/5.0 (Windows NT 10.0;\r\nWOW64) AppleWebKit/537.36\r\n(KHTML, like Gecko)\r\nChrome/52.0.2743.116\r\nSafari/537.36\r\nMozilla/5.0 (Windows NT 6.1;\r\nWOW64) AppleWebKit/537.36\r\nMozilla/5.0 (Windows NT 6.1;\r\nWOW64) AppleWebKit/537.36\r\nMozilla/5.0 (Macintosh; Intel Mac\r\nOS X 10_11_6)\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 6 of 12\n\n(KHTML, like Gecko)\r\nChrome/51.0.2704.103\r\nSafari/537.36\r\n(KHTML, like Gecko)\r\nChrome/52.0.2743.116\r\nSafari/537.36\r\nAppleWebKit/601.7.7 (KHTML,\r\nlike Gecko) Version/9.1.2\r\nSafari/601.7.7\r\nMozilla/4.0 (compatible; MSIE\r\n9.0; Windows NT 5.1;\r\nTrident/5.0)\r\nMozilla/4.0 (compatible; MSIE\r\n9.0; Windows NT 6.0;\r\nTrident/4.0; GTB7.4; InfoPath.3;\r\nSV1; .NET CLR 3.4.53360;\r\nWOW64; en-US)\r\nMozilla/4.0 (compatible; MSIE 9.0;\r\nWindows NT 6.1; Trident/4.0;\r\nFDM; MSIECrawler; Media Center\r\nPC 5.0)\r\nMozilla/4.0 (compatible; MSIE\r\n9.0; Windows NT 6.1;\r\nTrident/4.0; GTB7.4; InfoPath.2;\r\nSV1; .NET CLR 4.4.58799;\r\nWOW64; en-US)\r\nMozilla/4.0 (compatible; MSIE\r\n9.0; Windows NT 6.1;\r\nTrident/5.0; FunWebProducts)\r\nMozilla/5.0 (Macintosh; Intel Mac\r\nOS X 10.6; rv:25.0)\r\nGecko/20100101 Firefox/25.0\r\nMozilla/5.0 (Macintosh; Intel\r\nMac OS X 10.8; rv:21.0)\r\nGecko/20100101 Firefox/21.0\r\nMozilla/5.0 (Macintosh; Intel\r\nMac OS X 10.8; rv:24.0)\r\nGecko/20100101 Firefox/24.0\r\nMozilla/5.0 (Macintosh; Intel Mac\r\nOS X 10_10; rv:33.0)\r\nGecko/20100101 Firefox/33.0\r\nMozilla/5.0 (Windows NT 10.0;\r\nWin64; x64)\r\nAppleWebKit/537.36 (KHTML,\r\nlike Gecko)\r\nChrome/62.0.3202.94\r\n \r\nShadowV2 first attempts to resolve C2 server domain\r\nsilverpath[.]shadowstresser[.]info, which should resolve to the IP address 81[.]88[.]18[.]108. If the domain cannot\r\nbe resolved by DNS server 8.8.8.8, ShadowV2 falls back to directly connecting to the hardcoded C2 server IP\r\naddress.\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 7 of 12\n\nFigure 9: Establish connection with C2 server\r\nWhile executing, the malware displays the string ShadowV2 Build v1.0.0 IoT version. Based on this string, we\r\nassess that it may be the first version of ShadowV2 developed for IoT devices.\r\nFigure 10: Display string while executing ShadowV2\r\nThe malware initializes its DDoS attack methods and allocates an attack function table.\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 8 of 12\n\nFigure 11: Initialize DDoS attack methods\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 9 of 12\n\nFigure 12: Initialize DDoS attack method \"UDP flood\"\r\nShadowV2 supports two transport-layer protocols (UDP and TCP) and the HTTP application protocol.\r\nImplemented attack methods including UDP floods, several TCP-based floods, and HTTP-level floods. The\r\nmalware maps these behaviors to internal function names, such as UDP, UDP Plain, UDP Generic, UDP Custom,\r\nTCP, TCP SYN, TCP Generic, TCP ACK, TCP ACK STOMP, and HTTP.\r\nIt listens for commands from its C2  server and triggers DDoS attacks using the corresponding attack method ID\r\nand parameters.\r\nFigure 13: Trigger DDoS attack methods\r\nConclusion\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 10 of 12\n\nOur analysis of ShadowV2 reveals that IoT devices remain a weak link in the broader cybersecurity landscape.\r\nThe evolution of ShadowV2 suggests a strategic shift in the targeting behavior of threat actors toward IoT\r\nenvironments. This underscores the importance of maintaining timely firmware updates, enforcing robust security\r\npractices, and continuously monitoring relevant threat intelligence to strengthen overall situational awareness and\r\nensure ecosystem resilience.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nBash/Mirai.CIU!tr.dldr\r\nLinux/Mirai.A!tr\r\nELF/Mirai.A!tr\r\nELF/Mirai.AE!tr\r\nELF/Mirai.AX!tr.botnet\r\nELF/UNSTABLE.AT!tr.botnet\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard Web Filtering Service blocks the C2 server.\r\nFortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:\r\nCVE-2009-2765: DDWRT.HTTP.Daemon.Arbitrary.Command.Execution\r\nCVE-2020-25506: D-Link.ShareCenter.Products.CGI.Code.Execution\r\nCVE-2022-37055: D-Link.Go-RT-AC750.hnap_main.Buffer.Overflow\r\nCVE-2023-52163: DigiEver.DS-2105.Pro.time_tzsetup.cgi.Command.Injection\r\nCVE-2024-3721: TBK.DVR.SOSTREAMAX.Command.Injection\r\nCVE-2024-10914: D-Link.Devices.account_mgr.cgi.Command.Injection\r\nCVE-2024-10915: D-Link.Devices.account_mgr.cgi.Command.Injection\r\nCVE-2024-53375: TP-Link.Archer.Devices.tmp_get_sites.Command.Injection\r\nWe also suggest that organizations consider completing Fortinet’s free training module, Fortinet Certified\r\nFundamentals (FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect\r\nthemselves from phishing attacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 11 of 12\n\nIOCs\r\nHosts\r\nsilverpath[.]shadowstresser[.]info\r\n81[.]88[.]18[.]108\r\n198[.]199[.]72[.]27\r\nFiles\r\nDownloader\r\n7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a\r\nShadowV2\r\n0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe\r\ndfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83\r\n6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6\r\n5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30\r\nc0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2\r\n499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f\r\nbb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74\r\n24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69\r\n80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834\r\ncb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2\r\n22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518\r\nc62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3\r\nSource: https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nhttps://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices"
	],
	"report_names": [
		"shadowv2-casts-a-shadow-over-iot-devices"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434789,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89bfea0c772b79d11d7f31caf6ba298d7039d320.pdf",
		"text": "https://archive.orkl.eu/89bfea0c772b79d11d7f31caf6ba298d7039d320.txt",
		"img": "https://archive.orkl.eu/89bfea0c772b79d11d7f31caf6ba298d7039d320.jpg"
	}
}