ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
By Vincent Li
Published: 2025-11-26 · Archived: 2026-04-05 17:28:33 UTC
Affected Platforms: DD-WRT 24 sp1, D-Link DNS-320 FW v2.06B01 Revision Ax, D-Link Go-RT-AC750
GORTAC750_revA_v101b03, D-Link GO-RT-AC750_revB_FWv200b02, Digiever DS-2105 Pro 3.1.0.71-11,
TBK DVR-4104, TBK DVR-4216, D-Link DNS-320, D-Link DNS-320LW, D-Link DNS-325, D-Link DNS-340L, TP-Link Archer router series
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named
“ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and
spanned seven different industries. So far, the malware appears to have only been active during the time of the
large-scale AWS outage. We believe this activity was likely a test run conducted in preparation for future attacks.
The following sections provide a detailed analysis of these incidents and the ShadowV2 malware.
Incidents
Fortinet sensors detected active exploitation attempts linked to a Mirai-based botnet known as ShadowV2. This
variant was propagating through multiple vulnerabilities identified and blocked by our Intrusion Prevention
System (IPS). ShadowV2 had previously been observed targeting AWS EC2 instances in campaigns disclosed in
September.
Based on our analysis, we believe that ShadowV2 was developed based on the architecture of an existing Mirai
variant and designed for IoT devices. It leveraged vulnerabilities affecting the following vendors’ products from
198[.]199[.]72[.]27.
DDWRT: CVE-2009-2765
D-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
DigiEver: CVE-2023-52163
TBK: CVE-2024-3721
TP-Link: CVE-2024-53375
Figure 1: DDWRT exploit traffic via CVE-2009-2765
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 1 of 12

Figure 2: D-Link exploit traffic via CVE-2020-25506
Figure 3: DigiEver exploit traffic via CVE-2023-52163
Figure 4: TBK exploit traffic via CVE-2024-3721
Figure 5: TP-Link exploit traffic via CVE-2024-53375
The affected countries are distributed globally, including:
America: Canada, United States, Mexico, Brazil, Bolivia, Chile
Europe: United Kingdom, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece
Africa: Morocco, Egypt, South Africa
Asia: Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines
Oceania: Australia
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 2 of 12

Figure 6: Worldwide countries be affected by incidents
Within these countries, the compromised industries include technology, retail and hospitality, manufacturing,
managed security services providers,  government, telecommunication and carrier services, and education.
Malware Analysis
The attacker spreads a downloader script binary.sh by exploiting multiple vulnerabilities and delivers the
“ShadowV2” malware, prefixed with “shadow,” from 81[.]88[.]18[.]108.
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 3 of 12

Figure 7: Downloader script binary.sh
ShadowV2 is similar in structure to the classic Mirai variant LZRD. It initializes a XOR-encoded configuration
and its attack methods, and connects to a C2 server to receive commands that trigger DDoS attacks. The following
analysis is based on the x86-64 (AMD64) build named shadow.x86_64.
It XOR-decodes its configurations using a single-byte key, 0x22. The decoded configurations contain file system
paths, HTTP headers, and User-Agent strings.
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 4 of 12

Figure 8: XOR-encoded configuration
%””% lzrd cock fest /proc/
/exe (deleted) /fd
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 5 of 12

.anime /status dvrHelper
NiGGeR69xd 1337SoraLOADER NiGGeRd0nks1337
X19I239124UIU IuYgujeIqn 14Fa
ccAD /proc/net/route /proc/cpuinfo
BOGOMIPS /etc/rc.d/rc.local g1abc4dmo35hnp2lie0kjf
/dev/watchdog /dev/misc/watchdog /dev/FTWDT101_watchdog
/dev/netslink/ PRIVMSG GETLOCALIP
KILLATTK Eats8 v[0v
93OfjHZ2z GhostWuzHere666 WsGA4@F6F
ACDB AbAd iaGv
shell enable system
sh /bin/busybox LZRD LZRD: applet not found
ncorrect /bin/busybox ps /bin/busybox kill -9
TSource Engine Query /etc/resolv.conf nameserver
Connection: keep-alive keep-alive setCookie('
refresh: location: set-cookie:
content-length: transfer-encoding: chunked
connection: server: dosarrest server: cloudflare-nginx
assword ogin enter
dkaowjfirhiad1j3edjkai
Accept: text/html,
application/xhtml+xml,
application/xml;q=0.9,
image/webp,*/*;
Accept-Language: en-US,en;q=0.8
Content-Type: application/x-www-form-urlencoded
Mozilla/5.0 (Windows NT 10.0;
WOW64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/51.0.2704.103
Safari/537.36
Mozilla/5.0 (Windows NT 10.0;
WOW64) AppleWebKit/537.36
(KHTML, like Gecko)
Chrome/52.0.2743.116
Safari/537.36
Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.36
Mozilla/5.0 (Windows NT 6.1;
WOW64) AppleWebKit/537.36
Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_11_6)
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 6 of 12

(KHTML, like Gecko)
Chrome/51.0.2704.103
Safari/537.36
(KHTML, like Gecko)
Chrome/52.0.2743.116
Safari/537.36
AppleWebKit/601.7.7 (KHTML,
like Gecko) Version/9.1.2
Safari/601.7.7
Mozilla/4.0 (compatible; MSIE
9.0; Windows NT 5.1;
Trident/5.0)
Mozilla/4.0 (compatible; MSIE
9.0; Windows NT 6.0;
Trident/4.0; GTB7.4; InfoPath.3;
SV1; .NET CLR 3.4.53360;
WOW64; en-US)
Mozilla/4.0 (compatible; MSIE 9.0;
Windows NT 6.1; Trident/4.0;
FDM; MSIECrawler; Media Center
PC 5.0)
Mozilla/4.0 (compatible; MSIE
9.0; Windows NT 6.1;
Trident/4.0; GTB7.4; InfoPath.2;
SV1; .NET CLR 4.4.58799;
WOW64; en-US)
Mozilla/4.0 (compatible; MSIE
9.0; Windows NT 6.1;
Trident/5.0; FunWebProducts)
Mozilla/5.0 (Macintosh; Intel Mac
OS X 10.6; rv:25.0)
Gecko/20100101 Firefox/25.0
Mozilla/5.0 (Macintosh; Intel
Mac OS X 10.8; rv:21.0)
Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Macintosh; Intel
Mac OS X 10.8; rv:24.0)
Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac
OS X 10_10; rv:33.0)
Gecko/20100101 Firefox/33.0
Mozilla/5.0 (Windows NT 10.0;
Win64; x64)
AppleWebKit/537.36 (KHTML,
like Gecko)
Chrome/62.0.3202.94
 
ShadowV2 first attempts to resolve C2 server domain
silverpath[.]shadowstresser[.]info, which should resolve to the IP address 81[.]88[.]18[.]108. If the domain cannot
be resolved by DNS server 8.8.8.8, ShadowV2 falls back to directly connecting to the hardcoded C2 server IP
address.
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 7 of 12

Figure 9: Establish connection with C2 server
While executing, the malware displays the string ShadowV2 Build v1.0.0 IoT version. Based on this string, we
assess that it may be the first version of ShadowV2 developed for IoT devices.
Figure 10: Display string while executing ShadowV2
The malware initializes its DDoS attack methods and allocates an attack function table.
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 8 of 12

Figure 11: Initialize DDoS attack methods
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 9 of 12

Figure 12: Initialize DDoS attack method "UDP flood"
ShadowV2 supports two transport-layer protocols (UDP and TCP) and the HTTP application protocol.
Implemented attack methods including UDP floods, several TCP-based floods, and HTTP-level floods. The
malware maps these behaviors to internal function names, such as UDP, UDP Plain, UDP Generic, UDP Custom,
TCP, TCP SYN, TCP Generic, TCP ACK, TCP ACK STOMP, and HTTP.
It listens for commands from its C2  server and triggers DDoS attacks using the corresponding attack method ID
and parameters.
Figure 13: Trigger DDoS attack methods
Conclusion
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 10 of 12

Our analysis of ShadowV2 reveals that IoT devices remain a weak link in the broader cybersecurity landscape.
The evolution of ShadowV2 suggests a strategic shift in the targeting behavior of threat actors toward IoT
environments. This underscores the importance of maintaining timely firmware updates, enforcing robust security
practices, and continuously monitoring relevant threat intelligence to strengthen overall situational awareness and
ensure ecosystem resilience.
Fortinet Protections
The malware described in this report is detected and blocked by FortiGuard Antivirus as:
Bash/Mirai.CIU!tr.dldr
Linux/Mirai.A!tr
ELF/Mirai.A!tr
ELF/Mirai.AE!tr
ELF/Mirai.AX!tr.botnet
ELF/UNSTABLE.AT!tr.botnet
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard
AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date
protections are protected.
The FortiGuard Web Filtering Service blocks the C2 server.
FortiGuard Labs provides an IPS signature against attacks exploiting the following vulnerabilities:
CVE-2009-2765: DDWRT.HTTP.Daemon.Arbitrary.Command.Execution
CVE-2020-25506: D-Link.ShareCenter.Products.CGI.Code.Execution
CVE-2022-37055: D-Link.Go-RT-AC750.hnap_main.Buffer.Overflow
CVE-2023-52163: DigiEver.DS-2105.Pro.time_tzsetup.cgi.Command.Injection
CVE-2024-3721: TBK.DVR.SOSTREAMAX.Command.Injection
CVE-2024-10914: D-Link.Devices.account_mgr.cgi.Command.Injection
CVE-2024-10915: D-Link.Devices.account_mgr.cgi.Command.Injection
CVE-2024-53375: TP-Link.Archer.Devices.tmp_get_sites.Command.Injection
We also suggest that organizations consider completing Fortinet’s free training module, Fortinet Certified
Fundamentals (FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect
themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating
malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative
competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile
sources.
If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global
FortiGuard Incident Response Team.
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 11 of 12

IOCs
Hosts
silverpath[.]shadowstresser[.]info
81[.]88[.]18[.]108
198[.]199[.]72[.]27
Files
Downloader
7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a
ShadowV2
0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe
dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83
6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6
5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30
c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2
499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f
bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74
24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69
80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834
cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2
22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518
c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3
Source: https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices
Page 12 of 12