Update: ShadowV2 IoT Malware Expands Mirai Tactics During AWS Outage
ShadowV2 is a new Mirai-based botnet variant that researchers observed spreading during the late-October global AWS disruption, and the timing suggests the operators used the outage as cover for a controlled test run. The malware was delivered through a downloader script that exploited multiple IoT vulnerabilities across D-Link, DD-WRT, DigiEver, TBK, and TP-Link devices, some of which date back more than a decade. Once executed, ShadowV2 decoded its configuration, contacted a C2 server tied to ShadowStresser infrastructure, and registered its capabilities, which include an array of UDP, TCP, and HTTP flood attacks. The campaign affected organizations across every major region, with victims spread throughout the Americas, Europe, Africa, Asia, and Oceania, and impacted seven industries ranging from tech and manufacturing to telecom and government. FortiGuard sensors saw the malware propagate from multiple exploit attempts, confirming the operators were actively testing scalability and target diversity rather than conducting a full destructive operation. Technical analysis shows that ShadowV2 is a purpose-built evolution of Mirai, designed to thrive in IoT environments where firmware patch cycles are slow and exposed surfaces accumulate over time. The botnet’s configuration is XOR-encoded, includes numerous hardcoded paths and user-agent strings, and falls back to direct IP communication if its C2 domain fails to resolve. Although activity dropped once the AWS outage ended, the botnet’s behavior and global footprint suggest this wave was reconnaissance ahead of a larger campaign. Organizations running any of the affected hardware should patch immediately, harden external interfaces, and monitor outbound traffic to ShadowV2-linked infrastructure.
Update: Scattered Lapsus$ Hunters Expand to Zendesk in New Multi-Vector Supply-Chain Campaign
Scattered Lapsus$ Hunters have launched a new, highly coordinated campaign targeting Zendesk environments, marking a strategic continuation of their 2025 supply-chain offensive. Researchers identified more than 40 typosquatted domains registered through NiceNic and masked behind Cloudflare, all designed to mimic legitimate Zendesk login and SSO flows. These fake portals capture high-privilege credentials and are paired with a second delivery vector: fraudulent support tickets submitted directly into real Zendesk portals. The tickets pose as urgent admin requests and contain malicious links or payloads that infect help-desk staff with remote-access malware. This dual-track approach mirrors the group’s earlier Salesforce and Discord breaches, indicating a deliberate expansion of their SaaS-focused targeting. Once attackers obtain access, they establish persistence, move laterally, and harvest sensitive customer data, including billing details and identity documents. The campaign repeats the same registry patterns, phishing infrastructure, and credential-stealing workflows seen in previous Scattered Lapsus$ Hunters operations, strongly suggesting this is the next phase of their broader 2025 supply-chain strategy. Telegram posts from the group brag about running multiple campaigns simultaneously and explicitly warn incident responders to “watch their logs” through the 2026 holiday season. As Zendesk becomes the latest casualty in this multipronged campaign, organizations are urged to harden access to support platforms, deploy proactive domain monitoring, and treat customer service infrastructure with the same scrutiny as core operational systems.
Legacy Bootstrap Script Exposes PyPI Ecosystem to Domain Takeover Risk
ReversingLabs uncovered a long-standing supply chain weakness in several legacy Python packages that still ship a bootstrap[.]py script capable of downloading and executing code from the abandoned domain python-distribute[.]org. This domain, once used to install the now-defunct “distribute” package, has been unmaintained since 2014 and is currently parked and available for purchase. Any attacker who acquires the domain could host a malicious installer that would automatically execute on developer systems that run these bootstrap scripts, creating a direct path to remote code execution. Because the vulnerable bootstrap files were included across multiple popular PyPI packages over the years (including slapos[.]core, pypiserver, xlutils, testfixtures, roman, and others), the exposure persists in production environments that rely on older code or automation workflows that invoke the script via Makefiles. The issue highlights how legacy packaging tools and outdated installation workflows can silently introduce modern supply chain risks. Even though setuptools replaced distribute years ago, the lingering bootstrapping logic represents an overlooked attack surface similar to previous domain-takeover exploits such as the 2023 fsevents incident. While there is no evidence of active abuse of python-distribute[.]org, the pattern underscores the dangers of fetching executable content from fixed domains and the broader problem of code rot in open-source ecosystems. Developers should immediately remove bootstrap.py from build systems, audit older PyPI packages for the vulnerable pattern, and ensure no automated processes still invoke distribute-related bootstrapping code.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
