Skip to content

Secure IT

Stay Secure. Stay Informed.

Primary Menu
  • Home
  • Sources
    • Krebs On Security
    • Security Week
    • The Hacker News
    • Schneier On Security
  • Home
  • The Hacker News
  • Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
  • The Hacker News

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

[email protected] The Hacker News Published: May 6, 2026 | Updated: May 9, 2026 3 min read
0 views

Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks.

Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address “176.65.139[.]44” without requiring any authentication.

The malware supports “21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection,” Hunt.io said, adding it’s offered as a DDoS-for-hire service designed for targeting game servers and Minecraft hosts.

What makes xlabs_v1 notable is that it seeks out Android devices running an exposed ADB service on TCP port 5555, meaning any gear that comes with the tool enabled by default, such as Android TV boxes, set-top boxes, smart TVs, could be a potential target.

Besides an Android APK (“boot.apk”, the malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC, indicating it’s also designed to target residential routers and internet-of-things (IoT) hardware.

The result is a purpose-built botnet engineered to receive an attack command from the operator’s panel (“xlabslover[.]lol”) and generate a flood of junk traffic on demand, specifically directing the DDoS attack against game servers.

“The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp,” Hunt.io explained. “The operator’s nine-variant payload list is tuned for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled.”

There is evidence indicating that the DDoS-for-hire service features bandwidth-tiered pricing. This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation.

This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the panel. The goal, Hunt.io noted, is to assign each compromised device to a pricing tier for its paying customers.

An important aspect to note here is that the botnet exists after sending the bandwidth information in Megabits per second (Mbps), meaning the operator must re-infect the device a second time through the same ADB exploitation channel, given the absence of a persistence mechanism.

“The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs,” Hunt.io said. “This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent.”

xlabs_v1 also features a “killer” subsystem to terminate competitors so that it can usurp the victim device’s full upstream bandwidth to itself and use it to carry out the DDoS attack. It’s currently not known who is behind the malware, but the threat actor goes by the moniker “Tadashi,” as evidenced by a ChaCha20-encrypted string embedded in every build of the bot.

Further analysis of the co-located infrastructure has uncovered a VLTRig Monero-mining toolkit on host 176.65.139[.]42, although it’s currently not known if the two sets of activities are the work of the same threat actor.

“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork […], but less sophisticated than the top tier of commercial DDoS-for-hire operations,” Hunt.io said. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target.”

The development comes as Darktrace revealed that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors to deploy a DDoS botnet downloaded from a remote server (“103.177.110[.]202”), while simultaneously taking steps to evade detection.

“The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers,” the company said. “This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.”

About The Author

[email protected] The Hacker News

See author's posts

Original post here

What do you feel about this?

  • The Hacker News

Post navigation

Previous: MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Next: vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

Author's Other Posts

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now cpanel-3.jpg

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

May 9, 2026 0 1
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms banking.jpg

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

May 9, 2026 0 0
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads android-calls.jpg

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

May 9, 2026 0 0
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches zz-webinar.jpg

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

May 9, 2026 0 1

Related Stories

cpanel-3.jpg
  • The Hacker News

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

[email protected] The Hacker News May 9, 2026 0 1
banking.jpg
  • The Hacker News

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

[email protected] The Hacker News May 9, 2026 0 0
android-calls.jpg
  • The Hacker News

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

[email protected] The Hacker News May 9, 2026 0 0
zz-webinar.jpg
  • The Hacker News

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

[email protected] The Hacker News May 9, 2026 0 1
kube.jpg
  • The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

[email protected] The Hacker News May 9, 2026 0 0
ai-soc.jpg
  • The Hacker News

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

[email protected] The Hacker News May 9, 2026 0 1

Trending Now

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0

Connect with Us

Social menu is not set. You need to create menu and assign it to Social Menu on Menu Settings.

Trending News

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak 5
  • Uncategorized

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

May 22, 2026 0 0
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada 6
  • Uncategorized

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

May 21, 2026 0 0
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github 7
  • Uncategorized

CISA Admin Leaked AWS GovCloud Keys on Github

May 18, 2026 0 0

You may have missed

Who Runs the Ransomware Group ‘The Gentlemen?’
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

Sean June 10, 2026 0 0
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

Sean June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Sean June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Sean May 25, 2026 0 0
Copyright © 2026 All rights reserved. | MoreNews by AF themes.