Table of Contents
The AWS outage botnet attack shows how threat actors can exploit moments of confusion, use old vulnerabilities, and build new digital weapons from simple entry points. This incident also raises major questions about IoT security, cloud defense strategy, and the long term plans of the attackers who launched the ShadowV2 campaign. In this article, I break down what happened, how the malware works, why the infection spread across 28 countries, and what SquaredTech believes organizations should do now.
How the AWS Outage Botnet Formed During a Global Disruption
The AWS outage on that October day affected large businesses, cloud services, and public platforms for hours. During that period, websites failed to load, services slowed down, and cloud tools across regions stopped responding. The outage created a rare situation where regular monitoring activity became delayed and security teams focused on service recovery instead of threat hunting.
Threat actors took advantage of this moment and deployed the AWS outage botnet now identified as the ShadowV2 Mirai variant. According to Fortinet’s FortiGuard Labs, ShadowV2 began to infect IoT devices during the same time that the AWS outage took place. The malware scanned networks for open access points and moved through devices that used old or unpatched firmware.
Read more on our article, Massive Cloudflare Outage Shuts Down Internet Services Worldwide, published on November 18th, 2025, SquaredTech.
The attackers relied on known vulnerabilities that had been present for years. This is a critical point. Even long standing issues can help a botnet grow in modern environments. ShadowV2 used issues found in DD-WRT hardware, D Link devices, DigiEver equipment, TBK models, and TP Link units. Many of these vulnerabilities had already been assigned CVE numbers with available patches. Yet a large number of devices remained exposed, which allowed the AWS outage botnet to expand through multiple sectors.
SquaredTech often highlights the danger of unpatched equipment. This incident provides a clear example. The attackers did not need to create new exploits. They used issues that were already documented. The timing of the AWS outage gave them a longer window to run scans and gain access without immediate detection.
Once inside a device, the ShadowV2 malware installed a downloader script called binary.sh. That script fetched additional binaries that had names starting with “shadow.” These binaries came from a remote server at an IP address identified in the Fortinet report. The malware then built a network of compromised IoT devices that the attackers could control. This created a botnet capable of large scale distributed denial of service attacks.
ShadowV2 did not operate on IoT hardware alone. Earlier activity from the same threat group showed that the attackers had also targeted AWS EC2 cloud instances in September. This pattern suggests that the campaign had been active across multiple environments in different forms.
During the AWS outage, the impact spread across entire sectors. Technology, retail, hospitality, manufacturing, managed security service providers, telecommunication services, government offices, and education systems reported signs of attempted access or infection. The AWS outage botnet reached 28 countries, including the United States, Canada, Brazil, the United Kingdom, France, Italy, China, Thailand, Japan, and Australia. Few botnet incidents expand across so many regions in such a short time, which makes the event stand out in cybersecurity history.
Fortinet did not provide a device count yet. The team continues to evaluate how many units were infected. Even without the final number, the global reach alone proves how fast an IoT based attack can move during periods of network instability.
Why the AWS Outage Botnet Activity Matters Even After the Malware Stopped
The AWS outage botnet did not stay active after that day. The ShadowV2 infection stopped once the AWS issue was resolved. Yet the short lived nature of the attack does not make it a small event. In fact, many analysts believe the incident served as a test.
Our team reviewed the technical reports and found that the malware shares behavior patterns with another Mirai variant called LZRD. ShadowV2 uses XOR encoded configuration data. It connects back to a command server to receive instructions. It can launch DDoS traffic floods on demand. The code also displays a version message that shows this may be the first build of the ShadowV2 series for IoT devices.
Read more on our article, Microsoft Azure Blocks Massive 15.72 Tbps DDoS Attack, published on November 22nd, 2025, SquaredTech.
This detail is important. If the attackers are building a new family of Mirai variants, the short activity window during the AWS outage could represent a controlled experiment. The attackers might have monitored propagation speed, vulnerability response, and cloud service recovery behavior.
IoT based botnets grow faster than server based botnets because IoT hardware often uses weak passwords or outdated firmware. Many organizations deploy IoT equipment without strong monitoring tools. Devices such as cameras, recorders, sensors, and basic routers do not receive regular attention from security teams. The AWS outage botnet shows how easily these endpoints can be turned into attack systems.
ShadowV2 did not need advanced techniques to spread. It used open vulnerabilities, basic scripts, and simple binaries. This means the attackers can recreate the botnet at any time with minimal effort. Even worse, new variants could build on the same structure but with stronger attack modules.
Soon after ShadowV2 surfaced, Microsoft reported that Azure faced a massive cloud based DDoS attack. The company stated that the event reached 15.72 terabits per second and came from a different botnet known as Aisuru. Azure’s DDoS protection systems absorbed the attack. No customer workloads shut down. Still, the timing raises questions about broader testing by threat groups. It is possible that coordinated experiments took place across cloud platforms in short intervals.
For organizations that rely on cloud platforms and IoT devices, the combined events show a clear pattern. Threat actors are studying large scale cloud disruption events. They aim to use those moments to deploy new malware families and launch attacks that challenge the limits of current protection systems.
What the AWS Outage Botnet Teaches Organizations About IoT Security Today
The AWS outage botnet shows how easily attackers can turn everyday devices into attack tools. Many companies deploy IoT units that remain online for years without updates. Simple cameras, access control devices, small routers, and local monitors often use old firmware. These units rarely receive strong oversight. Attackers know this and scan for these entry points every day.
SquaredTech recommends that organizations re-check IoT security procedures after reviewing the details of the ShadowV2 incident. Some steps include clear actions that any team can use without delay.
Teams should update IoT firmware on a schedule and verify that all units use the latest patches. Device inventories should be accurate so that teams can identify older hardware before attackers find them. Organizations should monitor traffic patterns from IoT units to see if any device sends unusual or repetitive requests. They should also review Fortinet’s list of indicators of compromise to check for signs of ShadowV2 or related botnets.
While the AWS outage botnet did not stay active, the infection proved that vulnerabilities leave long term openings. Attackers wait for moments where regular security activity slows down. An outage event or a service disruption creates the perfect window. The ShadowV2 incident also shows that attackers may repeat this strategy in future events.
Organizations that use cloud systems rely on both their own defenses and the security teams of cloud providers. Cloud service outages can delay notifications. They can also reduce visibility for customers. Security teams must prepare for these moments by setting up alerts that continue to function even during service disruption periods.
IoT security should now be part of every incident response plan. Teams should treat IoT equipment as critical endpoints rather than simple accessories. Any device that connects to a network can become a threat source. The AWS outage botnet serves as a clear reminder of this.
SquaredTech encourages organizations to study the technical reports from Fortinet and Microsoft. These documents explain infection routes, malware behavior, and the infrastructure that supports ShadowV2. Each detail offers guidance for better defense planning.
The AWS outage botnet event may be over, but its lessons remain active today. It revealed how fast a Mirai variant can move, how broad a botnet can grow during a single outage, and how easily attackers can use simple vulnerabilities for global impact. SquaredTech believes that organizations must use this incident as a case study for stronger IoT security, better cloud monitoring, and improved response plans during service disruptions. The next major outage may offer threat actors another chance, and the best defense begins with clear preparation.
Stay Updated: Tech News
