Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
Source: The Hacker News
Cybersecurity researchers have exposed a new Mirai‑derived botnet that self‑identifies as xlabs_v1 and targets internet‑exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial‑of‑service (DDoS) attacks.
- Source: Hunt.io – detailed analysis
- Discovery: An exposed directory on a Netherlands‑hosted server at IP
176.65.139[.]44required no authentication.
Capabilities
- Supports 21 flood variants across TCP, UDP, and raw protocols (including RakNet and OpenVPN‑shaped UDP).
- Bypasses consumer‑grade DDoS protection.
- Offered as a DDoS‑for‑hire service targeting game servers and Minecraft hosts.
Target Vector
xlabs_v1 scans for Android devices with an exposed ADB service on TCP port 5555. Potential victims include:
- Android TV boxes
- Set‑top boxes
- Smart TVs
- Other gear with ADB enabled by default
Malware Details
- Payload: Android APK named
boot.apk. - Architecture support: ARM, MIPS, x86‑64, ARC – indicating a focus on residential routers and IoT hardware.
- Command‑and‑Control: Operator panel at
xlabslover[.]lol. - Execution: Delivered via ADB shell, pasted into
/data/local/tmp.
“The bot is statically‑linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB‑shell pastes into
/data/local/tmp,” – Hunt.io.
Bandwidth‑Tiered Pricing
A profiling routine:
- Opens 8,192 parallel TCP sockets to the nearest Speedtest server.
- Saturates them for 10 seconds.
- Reports the measured transfer rate (Mbps) back to the panel.
The data assigns each compromised device to a pricing tier for paying customers.
“The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs,” – Hunt.io.
This suggests the operator expects re‑infection for each new attack rather than maintaining persistence.
“Killer” Subsystem
- Terminates competing malware to monopolize the victim’s upstream bandwidth.
- The threat actor behind the malware is unknown, but a ChaCha20‑encrypted string in every build points to the moniker “Tadashi.”
Related Activity
Co‑located infrastructure (host 176.65.139[.]42) hosts a VLTRig Monero‑mining toolkit. It is unclear whether the same actor operates both services.
Threat Assessment
“In commercial‑criminal terms, xlabs_v1 is mid‑tier. It is more sophisticated than the typical script‑kiddie Mirai fork, but less sophisticated than the top tier of commercial DDoS‑for‑hire operations,” – Hunt.io.
The operator competes on price and attack variety, not on technical sophistication. Primary targets are consumer IoT devices, residential routers, and small game‑server operators.
Additional Context
Darktrace reported that an intentionally mis‑configured Jenkins instance in its honeypot network was compromised to deploy a DDoS botnet downloaded from a remote server (103.177.110[.]202). The attackers also employed evasion techniques.
“The presence of game‑specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers,” – Darktrace.
Read the full Darktrace analysis.
All IP addresses have been partially redacted ([.]) to prevent accidental scanning.
This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.
Find this article interesting? Follow us for more exclusive content: