An emerging DDoS for hire botnet
Essential information
- Published
- 25/09/2025 09:20
- Modified
- 25/09/2025 14:58
- Tags
- 2025-09-25 api botnet cloud-native containerization cybercrime-as-a-service ddos-as-a-service docker go http/2 python shadowv2
- Related entities
- 12 techniques (mitre), 1 malware
Description
Darktrace uncovered a sophisticated cybercrime-as-a-service campaign utilizing Python and Go-based malware, Docker containerization, and a full operator UI. The attack combines DDoS techniques with targeted exploitation, featuring HTTP/2 rapid reset, Cloudflare UAM bypass, and large-scale HTTP floods. The infrastructure resembles a DDoS-as-a-service platform, mirroring legitimate cloud-native applications in design and usability. Initial access is gained through exposed Docker daemons on AWS EC2, with a multi-stage deployment process. The malware uses a Go-based RAT with RESTful communication and includes advanced evasion techniques. The campaign highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.