A Mirai-derived botnet that identifies itself as xlabs_v1 is targeting Android devices with exposed ADB services and is being used to support distributed denial-of-service attacks, according to a technical analysis from Hunt.io. The malware supports 21 flood variants and appears aimed at game servers and Minecraft hosts.
KEY FACTS
- Targeting It looks for Android Debug Bridge on TCP port 5555.
- Devices at risk Android TV boxes, set-top boxes, smart TVs and some IoT hardware can be exposed.
- Payloads The bot supports ARM, MIPS, x86-64 and ARC builds.
- Behavior It includes bandwidth profiling and a competitor-killing function.
- Operator The malware points to an operator using the name Tadashi.
The report said the malware was discovered after an exposed directory was found on a Netherlands-hosted server at 176.65.139.44 without authentication. The botnet is built to take commands from a panel at xlabslover.lol and generate traffic on demand.
Hunt.io said the malware can use ADB shell pastes to place the bot in /data/local/tmp. It also includes a bandwidth-profiling routine that opens 8,192 parallel TCP sockets to a nearby Speedtest server, then reports the measured rate back to the panel.
That design suggests devices may be assigned to pricing tiers for DDoS-for-hire customers. The bot does not add persistence, so the operator would need to reinfect devices through the same ADB channel to repeat the process.
The disclosure said xlabs_v1 also has a killer subsystem that terminates competing bots to free up upstream bandwidth. Hunt.io described the operation as mid-tier in commercial-criminal terms, noting that it competes on price and attack variety rather than technical sophistication.
WHY IT MATTERS
The campaign shows how exposed ADB services can turn consumer devices into attack infrastructure with little warning. It also highlights continued targeting of game servers and the need for operators to harden internet-facing systems against botnet traffic.