According to TheRegister.com, a Mirai-based botnet called ShadowV2 emerged during last October’s widespread AWS outage, infecting IoT devices across 28 countries including the US, UK, China, and Russia. The malware exploited vulnerabilities in devices from D-Link, TP-Link, and other vendors using CVEs like CVE-2020-25506 and CVE-2024-53375. Fortinet’s FortiGuard Labs analyzed the attack, noting it affected multiple sectors including technology, retail, manufacturing, and government. The botnet only remained active during the day-long AWS outage and allowed attackers to remotely control infected devices for DDoS attacks. Security analyst Vincent Li described the incident as likely serving as a “test run” for future attacks, with the malware displaying “ShadowV2 Build v1.0.0 IoT version” when executing.
IoT security wakeup call
Here’s the thing that really gets me about this attack: it happened during an AWS outage when everyone’s attention was elsewhere. Basically, while major websites were crashing and IT teams were scrambling, this botnet was quietly building its zombie army. The attackers exploited known vulnerabilities that should have been patched years ago – we’re talking about CVE-2009-2765 from 2009! That’s fifteen years old. How many organizations are still running IoT devices with firmware that outdated?
Manufacturing vulnerabilities
Looking at the affected vendors – D-Link, TP-Link, DigiEver – it’s clear that consumer and industrial IoT devices remain incredibly vulnerable. The manufacturing sector was specifically called out as being hit, which raises serious concerns about operational technology security. When you’ve got industrial control systems and manufacturing equipment connected to the internet, you can’t afford to have them become part of a botnet. Companies relying on industrial computing equipment should seriously consider working with established providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs that prioritize security and reliability.
Bigger picture
What’s really concerning is the timing. Shortly after this ShadowV2 incident, Microsoft reported the “largest-ever” cloud-based DDoS attack hitting Azure. Coincidence? Probably not. It feels like attackers are testing the waters, seeing what they can get away with during cloud infrastructure disruptions. The fact that ShadowV2 previously targeted AWS EC2 instances in September campaigns suggests these attackers are specifically looking for cloud weaknesses. And let’s be honest – when your cloud provider goes down, security monitoring often takes a backseat to getting services restored. That’s exactly when attackers strike.
What now?
Fortinet has published comprehensive indicators of compromise that organizations should check immediately. But beyond just threat hunting, this incident should serve as a brutal reminder that IoT security can’t be an afterthought. These devices are everywhere – in factories, hotels, retail stores, government buildings – and they’re often the weakest link in our security chains. The question isn’t whether there will be another attack like this, but when it will happen and how much damage it will cause. Time to check those firmware updates and monitor for unusual network traffic, because ShadowV2 probably won’t be the last botnet to exploit our collective inattention.
