ShadowV2 DDoS Botnet Targets Unprotected Docker Instances

Sophisticated For-Hire DDoS Service Built With Cloud-Native Application Design Mathew J. Schwartz (euroinfosec) • September 22, 2025

Attackers have been infecting misconfigured, internet-exposed Docker containers to serve as launchpads for distributed-denial-of-service disruptions.

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

The DDoS platform's login panel and operator interface lead to a for-hire disruption service calling itself ShadowV2, which appears to have been built in a way that emulates "legitimate cloud-native applications in both design and usability," said cybersecurity firm Darktrace.

On-demand DDoS services, known as stresser or booter offerings, aren't new. But "what sets this campaign apart is the sophistication of its attack toolkit," Darktrace said. "The threat actors employ advanced methods such as HTTP/2 rapid reset, a Cloudflare under attack mode (UAM) bypass and large-scale HTTP floods, demonstrating a capability to combine DDoS techniques with targeted exploitation," it said.

An HTTP/2 ...