A new report out today from Darktrace Ltd. reveals a sophisticated cybercrime campaign that blends traditional malware with cloud-native design principles, exposing how threat actors are evolving distributed denial-of-service operations into fully fledged “as-a-service” platforms.

The campaign detailed in the report, dubbed “ShadowV2,” is a Python-based command-and-control framework hosted on GitHub CodeSpaces. The operation uses a Python spreader to exploit exposed Docker daemons, particularly on Amazon Web Services Inc.’s EC2 instances and then deploys a multistage container that installs a Go-based remote access trojan.

The remote access trojan communicates with its operators through a RESTful application programming interface and regularly polls for instructions and executes high-volume attacks.

Where ShadowV2 gets interesting is the way its operators mirror legitimate development practices. The malware infrastructure includes an OpenAPI specification built with FastAPI and Pydantic, a login panel for operators and a tailored user interface written in Tailwind. The platform also supports features such as user authentication, admin-level privileges, attack configuration options and even blacklist management.

Darktrace’s researchers note that the design is consistent with a DDoS-for-hire model, enabling multi-tenant use rather than functioning as a simple botnet.

The attack toolkit also demonstrates technical sophistication with support for advanced techniques, including Cloudflare Inc.’s “under attack mode” bypass, randomized headers and large-scale HTTP floods using the fasthttp library.

One of the more notable features is the attempted automation of Cloudflare challenge solving via a bundled ChromeDP binary. While not guaranteed to succeed, the mechanism highlights the ongoing arms race between attackers and web security providers.

The implications extend beyond a single campaign, as, by packaging attacks in containerized environments with modular functionality and exposing structured APIs, cybercriminals are adopting the same efficiency and usability principles that drive enterprise software.

Darktrace’s researchers warn that this trend reinforces the need for continuous monitoring of containerized workloads, behavioral analytics capable of detecting anomalous API activity and deeper visibility into cloud deployments.

Jason Soroko, senior fellow at certificate management solutions company Sectigo Ltd., told SiliconANGLE via email that the research “points to a maturing criminal market where specialization beats sprawl.”

“By focusing only on DDoS and selling access to capacity, the operators reduce operational risk, simplify tooling and align incentives with paying customers,” said Soroko. “Container aware infection of misconfigured Docker on cloud hosts gives rapid scale and disposable infrastructure. Go based implants enable cross platform builds and fast churn on features.”

Shane Barney, chief information security officer at password management company Keeper Security Inc., noted that “the ShadowV2 botnet is another reminder that cybercrime is no longer a side hustle but an industry.”

“Threat actors are treating DDoS attacks like a business service, complete with APIs, dashboards and user interfaces,” he said. “This type of industrialization should be a wake-up call for defenders. The fact that attackers are exploiting misconfigured Docker containers on AWS is also concerning, highlighting how quickly adversaries are shifting into cloud-native environments where misconfigurations are common.”

Image: SiliconANGLE/Reve