DEV Community

Cover image for ShadowWizardMoneyGang Attack Analysis and Network Fingerprint Extraction
Tyler Johnston-Kent
Tyler Johnston-Kent

Posted on

ShadowWizardMoneyGang Attack Analysis and Network Fingerprint Extraction

#cybersecurity #networking #webdev #programming

ShadowWizardMoneyGang Attack Analysis and Network Fingerprint Extraction

On November 21, 2025, a bot operator using the user agent ShadowWizardMoneyGang attempted to conduct a POST-based attack against what they believed was an open Google Cloud Run endpoint. Instead of reaching any production infrastructure, every request was directed into a controlled honeypot environment designed for traffic analysis and behavioral fingerprinting.

Because the endpoint was a honeypot, the attack resulted in zero risk to any operational workloads. Instead, it provided a complete, high resolution network fingerprint of the attacker’s automated system, including payload characteristics, burst timing, IP distribution, and replay behavior.

This post documents the event and the resulting attacker profile.

Overview of the Event

A total of 4445 hostile POST requests were recorded across Cloud Run and Firebase Hosting. All traffic was isolated within the honeypot and did not interact with any live application surfaces.

Key identifiers captured

  • User agent: ShadowWizardMoneyGang
  • Total captured events: 4445
  • Primary attack wave: 4190 events over 1865.905 seconds
  • Geographic relay: Naaldwijk, Netherlands (212.8.253.77)
  • Additional carriers: Google controlled IP blocks 66.249.* and 142.250.*

The event provides a complete signature for this bot operator’s infrastructure.

Phase 1. Validation Probing

Between 19:09:08 and 19:09:39, the attacker issued malformed POST payloads that yielded 500 responses. This activity demonstrates an initial probing phase.

Observed behavior

  • Invalid POST formatting
  • Immediate repetition at short intervals
  • Simultaneous mirrored requests to Firebase Hosting from 212.8.253.77
  • Identical user agent on all requests

This confirms that the operator was attempting to determine whether the endpoint was permissive, misconfigured, or improperly authenticated.

Phase 2. Full Attack Wave

The primary automated attack wave lasted from 18:58:39.152Z to 19:29:45.057Z and consisted of 4190 POST requests.

Technical characteristics

  • Target path: honeypotIngest
  • Payload sizes: consistently 1185 to 1209 bytes
  • All Cloud Run responses: HTTP 200
  • All payloads isolated within honeypot runtime
  • Replay behavior visible across Google IPs and the Netherlands relay

This pattern indicates a coordinated replay attack, not opportunistic scanning. The operator is using a controlled network of distribution points that operate with predictable timing and fixed payload structure.

Phase 3. Aggregated Analytics

Internal analysis classified the event into the following categories:

  • impregnated again: 4190
  • rage_clicks: 254
  • unknown: 1

The system identified:

  • One attacker entity
  • Eight temporal clusters
  • 4445 total captured events

The largest cluster corresponds exactly to the main attack wave.

This level of consistency provides a reliable signature for future identification and automated blocking.

Extracted Network Fingerprint

From this single event, the following attacker fingerprint can be extracted and used for classification across all Formant Security systems:

  • User agent: ShadowWizardMoneyGang
  • Burst timing: 1800 to 1900 second replay window
  • Payload structure: 1185 to 1209 byte envelopes
  • Carriers:
    • Google ranges 66.249.*
    • Google ranges 142.250.*
    • Netherlands relay 212.8.253.77

This combination of timing, user agent, payload size, and carrier distribution forms a distinct and reproducible identifier for this bot network.

If these characteristics appear in future traffic across any environment, they can be immediately and confidently attributed to the same operator or toolkit.

Operational Impact

  • No operational infrastructure was touched.
  • No customer traffic was affected.
  • No production data was exposed.

The honeypot performed exactly as designed. It absorbed malicious traffic, logged it, and produced a complete intelligence record of the bot’s behavior.

Why This Matters

This event highlights a common pattern among low skill threat actors who rely on spoofed Googlebot traffic and basic automation tools to imitate high capability scanning behavior. In this case, the operator behind the ShadowWizardMoneyGang user agent demonstrated no real sophistication. Their tooling replayed traffic through predictable IP ranges, used uniform payload structures, and exposed their entire attack vector the moment it interacted with a controlled endpoint.

Instead of reaching an unsecured Cloud Run surface, the bot delivered all of its operational fingerprints directly into a honeypot. This includes payload size signatures, burst timing, IP distribution, and replay behavior. These characteristics now provide a stable identifier for this attacker group across any future domain or environment.

This is not evidence of an advanced adversary. It is evidence of a misconfigured, overconfident botnet using commodity spoofing software that reveals more about its operators than it conceals.

Final Thoughts

This incident demonstrates the value of running controlled honeypots across cloud infrastructure. Even low skill adversaries can generate useful intelligence when their automated tools expose timing signals, replay behavior, and network distribution patterns. ShadowWizardMoneyGang is not a sophisticated operator, but their activity still contributes to a broader understanding of how spoofed Googlebot traffic is being misused across the public internet.

If you are a security professional, researcher, or infrastructure engineer and want to compare notes, collaborate on signatures, or discuss defensive strategies, feel free to reach out. I actively maintain these datasets and will continue publishing findings when new patterns emerge.

If you are an attacker and believe this is an invitation, understand that all traffic is logged, fingerprinted, and archived. Any attempt to probe or exploit my systems will be recorded and reported. The honeypot exists to collect intelligence, not to provide opportunity.

Report this list here

66.249.93.98, 66.249.93.100, 66.249.93.101

66.249.93.102, 66.249.93.103, 66.249.93.128

66.249.93.129, 66.249.93.130, 66.249.93.133

66.249.93.134, 66.249.93.136, 66.249.93.138

66.249.93.140, 66.249.93.142, 66.249.93.165

66.249.93.166, 66.249.93.167, 66.249.93.168

66.249.93.169, 66.249.93.170, 66.249.93.171

66.249.93.172, 66.249.93.194, 66.249.93.196

66.249.93.197, 66.249.93.198, 66.249.93.199

66.249.93.201, 66.249.93.203, 66.249.93.204

66.249.93.205, 66.249.93.225, 66.249.93.226

66.249.93.228, 66.249.93.230, 66.249.93.231

66.249.93.232, 66.249.93.234

142.250.32.1, 142.250.32.2, 142.250.32.3

142.250.32.4, 142.250.32.5, 142.250.32.7

142.250.32.8, 142.250.32.32, 142.250.32.33

142.250.32.34, 142.250.32.35, 142.250.32.37

142.250.32.38, 142.250.32.39, 142.250.32.40

142.250.32.41

Origin IP for Attack Coordinator

212.8.253.77

Top comments (0)