[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmVGGO85Af8ok5ei0aS_V66koVD6l76WZAEr0IDAu-kk":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"31f3f0d0-ad74-4ef8-9798-0f19ebd90a84","Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks","mirai-based-xlabs-v1-botnet-exploits-adb-to-hijack-iot-devices-for-ddos-attacks-3a5aed","Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted","Researchers discovered xlabs_v1, a Mirai-based botnet that targets internet-exposed Android Debug Bridge (ADB) services on IoT devices including Android TV boxes, set-top boxes, and smart TVs to enlist them in a DDoS-for-hire operation. The malware supports 21 flood variants across TCP, UDP, and raw protocols, profiles device bandwidth to assign pricing tiers, and includes a killer subsystem to eliminate competing botnets. The operator, identified by the ChaCha20-encrypted moniker \"Tadashi,\" primarily targets game servers and Minecraft hosts.","New Mirai-derived xlabs_v1 botnet exploits exposed ADB to hijack IoT devices for DDoS attacks.","Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks Ravie LakshmananMay 06, 2026IoT Security \u002F Malware Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address \"176.65.139[.]44\" without requiring any authentication. The malware supports \"21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection,\" Hunt.io said, adding it's offered as a DDoS-for-hire service designed for targeting game servers and Minecraft hosts. What makes xlabs_v1 notable is that it seeks out Android devices running an exposed ADB service on TCP port 5555, meaning any gear that comes with the tool enabled by default, such as Android TV boxes, set-top boxes, smart TVs, could be a potential target. Besides an Android APK (\"boot.apk\", the malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC, indicating it's also designed to target residential routers and internet-of-things (IoT) hardware. The result is a purpose-built botnet engineered to receive an attack command from the operator's panel (\"xlabslover[.]lol\") and generate a flood of junk traffic on demand, specifically directing the DDoS attack against game servers. \"The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into \u002Fdata\u002Flocal\u002Ftmp,\" Hunt.io explained. \"The operator's nine-variant payload list is tuned for Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that ships with ADB enabled.\" There is evidence indicating that the DDoS-for-hire service features bandwidth-tiered pricing. This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation. This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the panel. The goal, Hunt.io noted, is to assign each compromised device to a pricing tier for its paying customers. An important aspect to note here is that the botnet exists after sending the bandwidth information in Megabits per second (Mbps), meaning the operator must re-infect the device a second time through the same ADB exploitation channel, given the absence of a persistence mechanism. \"The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs,\" Hunt.io said. \"This design suggests the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, and the resulting exit-and-re-infect cycle is the design intent.\" xlabs_v1 also features a \"killer\" subsystem to terminate competitors so that it can usurp the victim device's full upstream bandwidth to itself and use it to carry out the DDoS attack. It's currently not known who is behind the malware, but the threat actor goes by the moniker \"Tadashi,\" as evidenced by a ChaCha20-encrypted string embedded in every build of the bot. Further analysis of the co-located infrastructure has uncovered a VLTRig Monero-mining toolkit on host 176.65.139[.]42, although it's currently not known if the two sets of activities are the work of the same threat actor. \"In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork [...], but less sophisticated than the top tier of commercial DDoS-for-hire operations,\" Hunt.io said. \"This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target.\" The development comes as Darktrace revealed that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors to deploy a DDoS botnet downloaded from a remote server (\"103.177.110[.]202\"), while simultaneously taking steps to evade detection. \"The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers,\" the company said. \"This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, botnet, cybersecurity, ddos, Gaming Industry, iot security, Malware, network security, Threat Intelligence, Vulnerability ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fmirai-based-xlabsv1-botnet-exploits-adb.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhHPb4dDONnDMbu5rdNKex39FCs_4elspTEwE3dJbDsEBn1OdHrNS_0oI2V2mKCG4PjUGsBy5T4ZCec8kSdK2hTXkaq3fIIDX5XLBKfU9X4dNamC0zGfgcZ5dxPy1PNGKtAIye5IpODYmyzgMYBSRfyUcAnLhOBsHSitLujoCQABiz9b2KfYnzUhPN8rqPK\u002Fs1600\u002Fbotnet-malware.jpg","2026-05-06T20:21:00+00:00","2026-05-06T22:00:23.440879+00:00",9,[18,21,24,27],{"name":19,"type":20},"Tadashi","threat_actor",{"name":22,"type":23},"Android Debug Bridge (ADB)","technology",{"name":25,"type":26},"Hunt.io","vendor",{"name":28,"type":26},"Darktrace","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":29,"icon":31,"name":32,"slug":33},null,"Malware","malware",[35,40],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"d6f63bb8-0801-486a-be7f-171400700454","IoT\u002FOT","iot-ot",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[46,50,53,56,60,63,66],{"type":47,"value":48,"context":49},"ip","176.65.139.44","Netherlands-hosted C2 server hosting malware and supporting infrastructure",{"type":47,"value":51,"context":52},"176.65.139.42","Co-located VLTRig Monero-mining toolkit host",{"type":47,"value":54,"context":55},"103.177.110.202","Remote server hosting DDoS botnet payload targeted via misconfigured Jenkins",{"type":57,"value":58,"context":59},"domain","xlabslover.lol","Operator's command and control panel for xlabs_v1 botnet",{"type":33,"value":61,"context":62},"xlabs_v1","Mirai-derived botnet targeting ADB-exposed IoT devices for DDoS attacks",{"type":33,"value":64,"context":65},"boot.apk","Android APK dropper\u002Fpayload for xlabs_v1 botnet",{"type":33,"value":67,"context":68},"VLTRig","Monero-mining toolkit discovered on co-located infrastructure"]