ShadowV2 Casts a Shadow Over IoT Devices

    Thursday, November 27, 2025 In: Threat Research Print

    Date: 11/27/2025

    Severity: High

    Summary

    At the end of October, during a global AWS connectivity disruption, Labs detected malware known as “ShadowV2” exploiting IoT vulnerabilities to spread. The incidents impacted multiple countries and affected seven different industries. To date, the malware has only been observed operating during the major AWS outage window. We assess that this activity was likely a trial run in preparation for future attacks. Detected active exploitation attempts associated with a Mirai-based botnet referred to as ShadowV2. It exploited vulnerabilities in the following vendors’ products from the host 198[.]199[.]72[.]27:

    • DD-WRT: CVE-2009-2765
    • D-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
    • DigiEver: CVE-2023-52163
    • TBK: CVE-2024-3721
    • TP-Link: CVE-2024-53375

    Indicators of Compromise (IOC) List

    Domains\URLs :

    silverpath.shadowstresser.info

    IP Address :

    81.88.18.108

    198.199.72.27

    Hash :

    7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a

    0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe

    dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83

    6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6

    5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30

    c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2

    499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f

    bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74

    24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69

    80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834

    cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2

    22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518

    c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "silverpath.shadowstresser.info" or url like "silverpath.shadowstresser.info" or siteurl like "silverpath.shadowstresser.info"

    Detection Query 2 :

    dstipaddress IN ("198.199.72.27","81.88.18.108") or srcipaddress IN ("198.199.72.27","81.88.18.108")

    Detection Query 3 :

    sha256hash IN ("bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74","24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69","cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2","22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518","0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe","c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3","499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f","c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2","7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a","dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83","6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6","5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30","80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834")

    Reference:

    https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices


    Tags

    MalwareVulnerabilityShadowV2ExploitBotnetCVE-2009CVE-2020CVE-2022CVE - 2024CVE-2023

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.