216.73.217.80

An emerging DDoS for hire botnet

· Published 25/09/2025 09:20 · Modified 25/09/2025 14:58

Export JSON

Essential information

Published
25/09/2025 09:20
Modified
25/09/2025 14:58
Tags
2025-09-25 api botnet cloud-native containerization cybercrime-as-a-service ddos-as-a-service docker go http/2 python shadowv2
Related entities
12 techniques (mitre), 1 malware

Description

Darktrace uncovered a sophisticated campaign utilizing and -based malware, , and a full operator UI. The attack combines DDoS techniques with targeted exploitation, featuring rapid reset, Cloudflare UAM bypass, and large-scale HTTP floods. The infrastructure resembles a platform, mirroring legitimate applications in design and usability. Initial access is gained through exposed daemons on AWS EC2, with a multi-stage deployment process. The malware uses a -based RAT with RESTful communication and includes advanced evasion techniques. The campaign highlights the need for defenders to monitor cloud workloads, container orchestration, and activity to counter evolving threats.

External references