VYPR
breachPublished May 6, 2026· Updated May 17, 2026· 1 source

New xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

A new Mirai-derived botnet named xlabs_v1 is hijacking internet-exposed Android devices and IoT hardware via the Android Debug Bridge to power a DDoS-for-hire service.

A new Mirai-derived botnet, identified as xlabs_v1, is actively exploiting internet-exposed Android Debug Bridge (ADB) services to hijack IoT devices for use in distributed denial-of-service (DDoS) attacks. Researchers at Hunt.io discovered the botnet after identifying an unsecured directory on a server hosted in the Netherlands The Hacker News.

The malware specifically targets devices with ADB enabled on TCP port 5555, a common configuration for Android TV boxes, set-top boxes, smart TVs, and various IoT hardware. Once access is gained, the bot is delivered via ADB-shell commands into the /data/local/tmp directory. The malware is highly versatile, featuring multi-architecture builds that support ARM, MIPS, x86-64, and ARC, allowing it to infect a wide range of residential routers and connected devices The Hacker News.

Functionally, xlabs_v1 is designed as a DDoS-for-hire service, primarily targeting game servers and Minecraft hosts. It supports 21 different flood variants across TCP, UDP, and raw protocols, including specialized traffic patterns like RakNet and OpenVPN-shaped UDP, which are intended to bypass standard consumer-grade DDoS protections. The botnet also includes a "killer" subsystem that terminates competing malware processes to ensure the infected device's full upstream bandwidth is available for its own operations The Hacker News.

A unique feature of xlabs_v1 is its bandwidth-tiered pricing model. The malware performs a profiling routine by opening 8,192 parallel TCP sockets to the nearest Speedtest server, saturating the connection for 10 seconds to measure the device's data transfer rate. This data is reported back to the operator's command-and-control panel, located at "xlabslover[.]lol," allowing the attacker to categorize devices by bandwidth capacity for their paying customers The Hacker News.

Despite its capabilities, the botnet lacks a persistence mechanism; it does not modify system scripts or register cron jobs. Consequently, the operator must re-infect devices through the ADB channel to update or maintain control. Embedded within the malware is a ChaCha20-encrypted string identifying the threat actor as "Tadashi." Additionally, researchers noted that infrastructure co-located with the botnet's command server was found hosting a VLTRig Monero-mining toolkit, though it remains unclear if the two operations are linked The Hacker News.

The emergence of xlabs_v1 highlights the ongoing risk posed by exposed management interfaces on consumer IoT devices. While researchers classify the botnet as "mid-tier"—more advanced than basic Mirai forks but less sophisticated than top-tier commercial operations—it remains a significant threat to residential networks and small-scale game server operators The Hacker News.

Synthesized by Vypr AI