Mirai-Derived xlabs_v1 Botnet Weaponizes Exposed Android Debug Bridge for DDoS-for-Hire

TL;DR Hunt.io has documented xlabs_v1, a Mirai-derived botnet that exploits internet-exposed Android Debug Bridge (ADB) services to compromise IoT devices including Android TV boxes, set-top boxes, and residential routers for DDoS attacks. The botnet supports 21 attack variants and operates as a bandwidth-tiered DDoS-for-hire service targeting game servers and Minecraft infrastructure. The threat actor, identified by the moniker "Tadashi," lacks persistence mechanisms, requiring re-infection of devices between operations.

What happened

Researchers at Hunt.io identified xlabs_v1 after discovering an exposed directory on a Netherlands-hosted server at IP address 176.65.139[.]44 without authentication requirements. The botnet targets Android devices with exposed ADB services listening on TCP port 5555—a default configuration on many consumer devices shipped with development tools enabled.

The malware is delivered as an APK file named boot.apk with multi-architecture support covering ARM, MIPS, x86-64, and ARC architectures. Once deployed via ADB shell commands to /data/local/tmp, it runs as statically-linked ARMv7 code stripped of debug symbols. The botnet communicates with a command-and-control panel located at xlabslover[.]lol to receive attack directives and report telemetry.

A notable operational characteristic is the absence of persistence mechanisms. The bot does not write to disk, modify init scripts, create systemd units, or register cron jobs. Instead, the operator must re-infect each device through ADB following bandwidth profiling, suggesting the threat actor treats device tiering as an infrequent fleet operation rather than a pre-attack check.

The botnet implements a bandwidth-profiling routine that opens 8,192 parallel TCP sockets to geographically nearest Speedtest servers, saturates them for 10 seconds, and reports measured data transfer rates in Megabits per second back to the panel. This data determines pricing tiers for DDoS-for-hire customers. The operator assigns victims to tiers based on available upstream bandwidth, enabling service pricing scaled to attack capacity.

Hunt.io characterized the threat as mid-tier in sophistication—more advanced than typical script-kiddie Mirai forks but less sophisticated than top-tier commercial DDoS-for-hire operations. The actor competes on price and attack variety rather than technical sophistication.

Separately, Darktrace reported that an intentionally misconfigured Jenkins instance in its honeypot infrastructure was targeted to deploy a different DDoS botnet downloaded from 103.177.110[.]202. The connection between the two incidents remains unclear.

Additional infrastructure analysis uncovered a VLTRig Monero-mining toolkit on co-located host 176.65.139[.]42, though attribution to the same threat actor is unconfirmed.

Why it matters

This botnet directly impacts multiple constituencies in the MENA region and globally:

For IoT device manufacturers and integrators: Consumer devices shipped with ADB enabled by default become attack infrastructure without user knowledge. Android TV boxes, set-top boxes, and smart TVs represent significant deployment volumes in residential networks with limited security posture.

For network defenders: The botnet's 21 attack variants across TCP, UDP, and raw protocols—including RakNet and OpenVPN-shaped UDP traffic—are engineered to bypass consumer-grade DDoS protection. This means standard perimeter defenses may not block outbound malicious traffic from compromised devices.

For game server operators: xlabs_v1 is purpose-built to target game servers and Minecraft infrastructure, with attack techniques specifically optimized for gaming workloads. Operators require elevated mitigation investment.

For SOC teams: The re-infection cycle means detection must focus on repeated ADB exploitation attempts rather than persistent agent behavior, requiring different monitoring baselines than traditional botnet campaigns.

For system administrators: Widespread ADB exposure on internet-facing devices creates an asymmetric attack surface. Many administrators may be unaware that development tools are enabled on production devices.

Affected systems and CVEs

Android Debug Bridge (ADB) services on internet-exposed devices
Android TV boxes with ADB enabled
Set-top boxes with ADB enabled
Smart TVs with ADB enabled
Residential routers with multi-architecture support (ARM, MIPS, x86-64, ARC)
IoT hardware with ADB enabled
Game servers and Minecraft hosts (attack targets)
Jenkins instances (identified as separate attack vector)

No CVE assigned at the time of publication.

What to do

Disable ADB service on Android devices not requiring it for development purposes
Restrict ADB access to trusted networks only; block TCP port 5555 from internet exposure via firewall rules
Implement network segmentation to isolate IoT and consumer devices from critical infrastructure
Monitor for suspicious bandwidth profiling activity, including repeated connections to speed-test services from unexpected sources
Monitor for malicious DDoS traffic originating from residential networks
Apply security hardening to Jenkins instances and other internet-exposed services; restrict shell access and enforce authentication
Game server operators should deploy DDoS mitigation services and implement rate-limiting appropriate to their traffic profiles
Conduct inventory of deployed Android devices with ADB enabled and remediate exposure

Open questions

The identity of the primary threat actor operating xlabs_v1 remains unknown; only the moniker "Tadashi" is confirmed via ChaCha20-encrypted strings in the bot code
Whether the VLTRig Monero-mining toolkit and xlabs_v1 botnet are operated by the same threat actor is unconfirmed
The current scale of compromise—total number of infected devices or geographic distribution—is not disclosed
Specific pricing structure for the DDoS-for-hire service tiers is not documented
Timeline of xlabs_v1 development and initial deployment date is not specified
The extent to which Darktrace's Jenkins-targeted botnet overlaps with xlabs_v1 operations is unclear