The Mirai ecosystem has a new variant that, according to researchers at Fortinet, may have been used as a test for future large-scale attacks.
The malware, known as ShadowV2, exploited a series of vulnerabilities in IoT devices from D-Link, TP-Link, DigiEver, TBK, DD-WRT, and others in late October. The activity coincided exactly with the global AWS outage and also stopped as soon as the outage was resolved. Although FortiGuard Labs says there is no direct relationship between the two incidents, the timing suggests that the attack was intended as a trial run to validate methods and infrastructure.
ShadowV2 targeted routers, NAS systems, and DVRs known for their long lifespans and limited update policies. Many affected models no longer receive firmware updates, leaving them vulnerable to known exploits. The malware spread via multiple exploits and used a downloader script that was activated as soon as a vulnerable device was found.
The payload was then retrieved from a server previously associated with Mirai variants. Once active, ShadowV2 identifies itself as ShadowV2 Build v1.0.0 IoT version, leading Fortinet to suspect that this is the first full iteration of this specific botnet variant.
Limited scale infections
The attacks were detected in North and South America, Europe, Africa, Asia, and Australia. Although the scale of the infection remained limited, according to Fortinet, the spread shows that IoT-targeting botnets can still easily gain a foothold worldwide as soon as sufficient vulnerable equipment is available.
FortiGuard Labs’ technical analysis shows that ShadowV2 is closely related to the Mirai LZRD variant. Like its predecessors, it uses XOR-encoded configurations, hardcoded commands, and a command-and-control structure that forwards instructions to carry out DDoS attacks.
The malware supports multiple attack methods via UDP, TCP, and HTTP, including variants that target volumetric disruption and service exhaustion. ShadowV2 first attempts to reach a domain linked to the botnet operator. If that fails, it immediately switches to a hardcoded IP address, reducing the infrastructure’s reliance on DNS.
IoT landscape remains vulnerable
Fortinet emphasizes that the emergence of ShadowV2 once again exposes how vulnerable the IoT landscape remains. Organizations often remain dependent on equipment that is no longer supported, even though these systems have direct network access. The researchers expect that ShadowV2 is not a one-off and that the operators may be working on further refining their botnet.