New Mirai-Based Botnet "xlabs_v1" Targets Exposed Android and IoT Devices for DDoS Attacks
Cybersecurity researchers at Hunt.io have uncovered a new Mirai-derived botnet, xlabs_v1, designed to hijack internet-exposed devices running Android Debug Bridge (ADB) and enlist them in a DDoS-for-hire service. The malware was discovered after an unsecured directory was found on a Netherlands-based server (176.65.139[.]44), revealing its infrastructure and attack capabilities.
The botnet supports 21 flood attack variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, allowing it to bypass consumer-grade DDoS protections. Its primary targets include game servers and Minecraft hosts, with the malware marketed as a DDoS-for-hire service likely operating on a bandwidth-tiered pricing model.
Key Features & Targets
- Primary Targets: Android devices with exposed ADB services (TCP port 5555), including Android TV boxes, set-top boxes, smart TVs, and IoT hardware.
- Multi-Architecture Support: The malware includes builds for ARM, MIPS, x86-64, and ARC, expanding its reach to residential routers and embedded devices.
- Bandwidth Profiling: The botnet measures victim bandwidth by opening 8,192 TCP sockets to the nearest Speedtest server, saturating them for 10 seconds before reporting results to the operator’s panel (xlabslover[.]lol). This data is used to assign devices to pricing tiers.
- No Persistence Mechanism: Since the malware does not establish persistence, operators must re-infect devices via ADB after each reboot.
- Competitor Elimination: A "killer" subsystem terminates rival botnets to monopolize the victim’s upstream bandwidth for DDoS attacks.
Attribution & Infrastructure
The threat actor behind xlabs_v1 operates under the alias "Tadashi", identified via a ChaCha20-encrypted string in the malware. While the exact identity remains unknown, further analysis of the hosting infrastructure (176.65.139[.]42) revealed a VLTRig Monero-mining toolkit, though it is unclear if the same actor is responsible for both operations.
Hunt.io describes xlabs_v1 as a "mid-tier" commercial DDoS operation, more advanced than typical Mirai forks but less sophisticated than top-tier DDoS-for-hire services. Its focus on price and attack variety suggests it targets consumer IoT devices, residential routers, and small game-server operators.
Broader Context
The discovery follows a separate report from Darktrace, which observed an intentionally misconfigured Jenkins honeypot being exploited to deploy a DDoS botnet from a remote server (103.177.110[.]202). The attack included evasion techniques, reinforcing the ongoing threat to gaming infrastructure and the need for robust mitigation strategies.
Source: https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html
Hunt.io TPRM report: https://www.rankiteo.com/company/hunt-intelligence-inc
"id": "hun1778106292",
"linkid": "hunt-intelligence-inc",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Gaming, IoT, Consumer Electronics',
'type': 'Game servers, Minecraft hosts, consumer IoT '
'devices, residential routers'}],
'attack_vector': 'Exposed Android Debug Bridge (ADB) (TCP port 5555)',
'description': 'Cybersecurity researchers at Hunt.io have uncovered a new '
'Mirai-derived botnet, xlabs_v1, designed to hijack '
'internet-exposed devices running Android Debug Bridge (ADB) '
'and enlist them in a DDoS-for-hire service. The malware '
'supports 21 flood attack variants across TCP, UDP, and raw '
'protocols, targeting game servers and Minecraft hosts. The '
'botnet measures victim bandwidth to assign devices to pricing '
'tiers and operates without persistence, requiring '
"re-infection via ADB after reboots. A 'killer' subsystem "
'terminates rival botnets to monopolize bandwidth.',
'impact': {'operational_impact': 'DDoS attacks on game servers and Minecraft '
'hosts',
'systems_affected': 'Android TV boxes, set-top boxes, smart TVs, '
'IoT hardware, residential routers, embedded '
'devices'},
'initial_access_broker': {'entry_point': 'Exposed ADB services',
'high_value_targets': 'Game servers, Minecraft '
'hosts'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (DDoS-for-hire service)',
'post_incident_analysis': {'corrective_actions': 'Disable ADB on '
'public-facing devices, '
'implement network '
'segmentation, deploy DDoS '
'mitigation tools, and '
'monitor for unusual '
'bandwidth usage.',
'root_causes': 'Exposed ADB services on Android '
'and IoT devices, lack of '
'persistence mechanisms, and weak '
'DDoS protections on consumer-grade '
'systems'},
'recommendations': 'Secure exposed ADB services, implement robust DDoS '
'mitigation strategies, monitor for rival botnet '
'terminations, and enhance IoT device security.',
'references': [{'source': 'Hunt.io'}, {'source': 'Darktrace'}],
'response': {'third_party_assistance': 'Hunt.io (cybersecurity researchers)'},
'threat_actor': 'Tadashi (alias)',
'title': "New Mirai-Based Botnet 'xlabs_v1' Targets Exposed Android and IoT "
'Devices for DDoS Attacks',
'type': 'DDoS Botnet',
'vulnerability_exploited': 'Exposed ADB services on Android and IoT devices'}