New xlabs_v1 Botnet Targets Minecraft Servers via Exposed Android ADB Ports
A recently discovered botnet, xlabs_v1, is exploiting Android devices with exposed Android Debug Bridge (ADB) ports to launch DDoS-for-hire attacks against Minecraft game servers. Based on the Mirai malware, this operation allows paying customers to flood servers with traffic, disrupting gameplay.
The botnet targets any internet-facing device running ADB on TCP port 5555, including Android TV boxes, smart TVs, routers, and IoT hardware with ADB enabled by default. Once compromised, the malware drops a binary into /data/local/tmp/, executes it, and recruits the device into a botnet fleet. A specialized RakNet flood variant is used to attack Minecraft servers, with the bot binary distributed over TCP port 25565, the default Minecraft server port.
Security researchers at Hunt.io uncovered the operation in early April 2026 while monitoring bulletproof-hosting netblocks. An exposed directory on a Netherlands-based server (176.65.139[.]44) hosted by Offshore LC (AS214472) revealed the full toolkit, including ELF binaries, infection payloads, and proxy credentials. Analysis of an unstripped development build exposed the C2 domain (xlabslover[.]lol), the operator’s handle (Tadashi), and an authentication token embedded in every bot variant.
The botnet’s infrastructure is confined to a single /24 netblock, housing the C2 server, staging host, and distribution nodes. A Monero cryptomining campaign using VLTRig was also detected on the same netblock, though its connection to xlabs_v1 remains unconfirmed.
Infection & Evasion Tactics
Once installed, the malware employs multiple stealth techniques:
- Blocks SIGINT signals to prevent interruption.
- Erases startup arguments to hide its origin.
- Decrypts strings (ChaCha20) containing C2 details.
- Masquerades as
/bin/bashto evade process monitoring. - Daemonizes itself, closing I/O handles to run silently.
- Kills competing malware, including a rival bot on TCP port 24936.
- Opens a fallback listener (TCP 26721) if C2 communication fails.
- Profiles bandwidth by testing upload speeds via Speedtest servers, allowing tiered pricing for DDoS customers.
Defenders are tracking indicators of compromise, including outbound connections to xlabslover[.]lol (TCP 35342) and pool[.]hashvault[.]pro, as well as suspicious files in /data/local/tmp/arm7. The campaign highlights the risks of unsecured ADB ports on internet-facing devices.
Source: https://cybersecuritynews.com/new-xlabs_v1-botnet-targets-minecraft-servers/
Mojang Studios cybersecurity rating report: https://www.rankiteo.com/company/mojangstudios
Offshore Energy - Fossil Energy cybersecurity rating report: https://www.rankiteo.com/company/offshore-energy-today
"id": "MOJOFF1777912275",
"linkid": "mojangstudios, offshore-energy-today",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Gaming',
'name': 'Minecraft game servers',
'type': 'Gaming servers'},
{'industry': 'Consumer electronics, IoT',
'name': 'Android TV boxes, smart TVs, routers, IoT '
'hardware',
'type': 'IoT/Embedded devices'}],
'attack_vector': 'Exposed Android Debug Bridge (ADB) ports (TCP 5555)',
'data_breach': {'data_encryption': 'ChaCha20 (for string decryption)',
'file_types_exposed': 'ELF binaries, infection payloads, '
'proxy credentials'},
'date_detected': '2026-04-01',
'description': 'A recently discovered botnet, xlabs_v1, is exploiting Android '
'devices with exposed Android Debug Bridge (ADB) ports to '
'launch DDoS-for-hire attacks against Minecraft game servers. '
'Based on the Mirai malware, this operation allows paying '
'customers to flood servers with traffic, disrupting gameplay. '
'The botnet targets any internet-facing device running ADB on '
'TCP port 5555, including Android TV boxes, smart TVs, '
'routers, and IoT hardware with ADB enabled by default. Once '
'compromised, the malware drops a binary into '
'`/data/local/tmp/`, executes it, and recruits the device into '
'a botnet fleet. A specialized RakNet flood variant is used to '
'attack Minecraft servers, with the bot binary distributed '
'over TCP port 25565, the default Minecraft server port.',
'impact': {'downtime': 'Disrupted gameplay',
'operational_impact': 'DDoS attacks causing service disruption',
'systems_affected': 'Android TV boxes, smart TVs, routers, IoT '
'hardware, Minecraft game servers'},
'initial_access_broker': {'backdoors_established': 'Malware drops binary into '
'`/data/local/tmp/` and '
'executes it',
'entry_point': 'Exposed ADB ports (TCP 5555)',
'high_value_targets': 'Minecraft game servers'},
'investigation_status': 'Ongoing (indicators of compromise being tracked)',
'lessons_learned': 'Highlights the risks of unsecured ADB ports on '
'internet-facing devices.',
'motivation': 'Financial gain (DDoS-for-hire services)',
'post_incident_analysis': {'corrective_actions': 'Disable ADB on '
'internet-facing devices, '
'implement network '
'segmentation, and enhance '
'monitoring for IoT/embedded '
'devices',
'root_causes': 'Unsecured ADB ports on '
'internet-facing devices, lack of '
'monitoring for suspicious outbound '
'connections'},
'recommendations': 'Secure ADB ports, monitor for suspicious files in '
'`/data/local/tmp/`, and block outbound connections to '
'known malicious domains (e.g., xlabslover[.]lol).',
'references': [{'source': 'Hunt.io'}],
'response': {'enhanced_monitoring': 'Tracking indicators of compromise (e.g., '
'outbound connections to '
'xlabslover[.]lol, '
'pool[.]hashvault[.]pro)',
'third_party_assistance': 'Hunt.io (security researchers)'},
'threat_actor': 'Tadashi (operator handle)',
'title': 'New xlabs_v1 Botnet Targets Minecraft Servers via Exposed Android '
'ADB Ports',
'type': 'DDoS-for-hire',
'vulnerability_exploited': 'Exposed ADB ports on internet-facing devices'}