Darktrace uncovered a sophisticated cybercrime-as-a-service campaign utilizing Python and Go-based malware, Docker containerization, and a full operator UI. The attack combines DDoS techniques with targeted exploitation, featuring HTTP/2 rapid reset, Cloudflare UAM bypass, and large-scale HTTP floods. The infrastructure resembles a DDoS-as-a-service platform, mirroring legitimate cloud-native applications in design and usability. Initial access is gained through exposed Docker daemons on AWS EC2, with a multi-stage deployment process. The malware uses a Go-based RAT with RESTful communication and includes advanced evasion techniques. The campaign highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats. Author: AlienVault
Related Tags:
ddos-as-a-service
cloud-native
containerization
cybercrime-as-a-service
ShadowV2
T1583.006
docker
api
T1588.002
Associated Indicators:
1F70C78C018175A3E4FA2B3822F1A3BD48A3B923D1FBDEAA5446960CA8133E9C
2462467C89B4A62619D0B2957B21876DC4871DB41B5D5FE230AA7AD107504C99
C4C82472F0A779BA6E4FBB8AD6726BD4FD580B69
https://shadow.aurozacloud.xyz/api/vps/poll/
https://shadow.aurozacloud.xyz/api/vps/heartbeat