xlabs_v1 Mirai Botnet: Exploiting ADB Across IoT Devices for Large-Scale DDoS Operations
- May 7
- 3 min read
Key Findings
New Mirai-derived botnet called xlabs_v1 targets internet-exposed Android Debug Bridge (ADB) services on port 5555 to compromise IoT devices for DDoS attacks
Supports 21 flood variants across TCP, UDP, and raw protocols including RakNet and OpenVPN-shaped traffic designed to bypass consumer-grade DDoS protection
Operates as a DDoS-for-hire service primarily targeting game servers and Minecraft hosts with bandwidth-tiered pricing
Threat actor uses the moniker "Tadashi" based on ChaCha20-encrypted strings found in bot builds
Discovered through exposed unsecured server (176.65.139.44) in Netherlands hosting entire toolkit without authentication
Bot lacks persistence mechanisms, requiring re-infection after bandwidth profiling operations
Features a "killer" subsystem that terminates competing botnets to monopolize victim device bandwidth
Background
Hunt.io researchers uncovered xlabs_v1 while investigating an exposed directory on a bulletproof-hosted Netherlands server. The discovery was straightforward - the operator had left their complete toolkit publicly accessible over TCP port 80 with zero authentication requirements. The directory contained roughly 200 KB of data including packed ARM binaries, debug builds with intact symbols, ADB exploitation one-liners, a SOCKS5 proxy, and target files. This oversight gave researchers immediate access to analyze the botnet's full capabilities before the operator realized the exposure.
Attack Infrastructure and Targets
The botnet primarily targets devices with ADB enabled by default, particularly Android TV boxes, set-top boxes, smart TVs, and residential routers. Researchers estimate over 4 million devices globally have TCP port 5555 exposed to the internet. The malware exists in multiple architecture builds covering ARM, MIPS, x86-64, and ARC, making it adaptable across diverse IoT hardware. Infection occurs through ADB-shell commands that inject the statically-linked ARMv7 bot into the /data/local/tmp directory.
Flood Capabilities
xlabs_v1's technical sophistication lies in its 21 flood variants specifically engineered to evade standard protections. The attack methods span TCP, UDP, and raw protocols with special game-server focused techniques like RakNet floods for Minecraft and OpenVPN-shaped UDP packets. These variants can bypass typical consumer-grade DDoS mitigation systems, making the botnet effective against its primary targets in the gaming industry.
Monetization Through Bandwidth Profiling
The DDoS-for-hire service employs a unique pricing model based on device bandwidth capacity. Once infected, each bot opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate in Mbps back to the operator's control panel. This information allows the threat actor to assign compromised devices to appropriate pricing tiers for paying customers. Interestingly, the bot exits after completing bandwidth profiling rather than persisting, since it lacks traditional persistence mechanisms like disk writes, init script modifications, or cron jobs.
Command and Control
The botnet communicates with its C2 panel at xlabslover.lol using a custom TCP protocol supporting bandwidth probes, updates, self-restart, and attack commands. The domain resolves to infrastructure in the Netherlands hosted by Offshore LC using Ultahost nameservers, a provider frequently associated with bulletproof hosting. Infrastructure analysis revealed three co-located hosts in the 176.65.139.0/24 netblock serving staging, distribution, and additional payload delivery functions. Historical scans showed active Mirai C2 activity dating to late March and early April 2026.
Competitive Positioning
Hunt.io characterizes xlabs_v1 as a mid-tier threat in commercial DDoS operations. It surpasses typical script-kiddie Mirai forks in sophistication but falls below top-tier commercial DDoS-for-hire operations. The operator competes primarily on price and attack variety rather than technical innovation. The botnet's design choices reflect commercial intent - it includes only DDoS functionality without credential theft or other features that increase detection risk. Its target demographic consists of consumer IoT device owners, residential router users, and small game-server operators.
Additional Infrastructure Concerns
Further investigation of co-located systems uncovered a VLTRig Monero-mining toolkit on host 176.65.139.42. However, researchers have not determined whether this cryptocurrency-mining operation shares the same threat actor as xlabs_v1. The discovery highlights how compromised infrastructure sometimes hosts multiple malicious operations.
Sources
https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html
https://securityaffairs.com/191796/malware/from-android-tvs-to-routers-the-xlabs_v1-mirai-based-botnet-built-for-ddos-attacks.html
https://x.com/TheHackersNews/status/2052121694433902787
https://x.com/Dinosn/status/2052212335628951995

Comments