Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks Ravie LakshmananMay 06, 2026IoT Security / Malware Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address "176.65.139[.]44" without requiring any authentication. The malware supports "21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection," Hunt.io said, adding it's offered as a DDoS-for-hire service designed for targeting game servers and Minecraft hosts. What makes xlabs_v1 notable is that it seeks out Android devices running an exposed ADB service on TCP port 5555, meaning any gear that comes with the tool enabled by default, such as Android TV boxes, set-top boxes, smart TVs, could be a potential target. Besides an Android APK ("boot.apk", the malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC, indicating it's also designed to target residential routers and internet-of-things (IoT) hardware. The result is a purpose-built botnet engineered to receive an attack command from the operator's panel ("xlabslover[.]lol") and generate a flood of junk traffic on demand, specifically directing the DDoS attack against game servers. "The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp," Hunt.io explained. "The operator's nine-variant payload list is tuned for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled." There is evidence indicating that the DDoS-for-hire service features bandwidth-tiered pricing. This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation. This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the panel. The goal, Hunt.io noted, is to assign each compromised device to a pricing tier for its paying customers. An important aspect to note here is that the botnet exists after sending the bandwidth information in Megabits per second (Mbps), meaning the operator must re-infect the device a second time through the same ADB exploitation channel, given the absence of a persistence mechanism. "The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs," Hunt.io said. "This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent." xlabs_v1 also features a "killer" subsystem to terminate competitors so that it can usurp the victim device's full upstream bandwidth to itself and use it to carry out the DDoS attack. It's currently not known who is behind the malware, but the threat actor goes by the moniker "Tadashi," as evidenced by a ChaCha20-encrypted string embedded in every build of the bot. Further analysis of the co-located infrastructure has uncovered a VLTRig Monero-mining toolkit on host 176.65.139[.]42, although it's currently not known if the two sets of activities are the work of the same threat actor. "In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork [...], but less sophisticated than the top tier of commercial DDoS-for-hire operations," Hunt.io said. "This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target." The development comes as Darktrace revealed that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors to deploy a DDoS botnet downloaded from a remote server ("103.177.110[.]202"), while simultaneously taking steps to evade detection. "The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers," the company said. "This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Android, botnet, cybersecurity, ddos, Gaming Industry, iot security, Malware, network security, Threat Intelligence, Vulnerability ⚡ Top Stories This Week Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Vercel Finds More Compromised Accounts in Context.ai-Linked Breach Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Load More ▼ ⭐ Featured Resources Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk