Emerging xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
Cybersecurity researchers have recently uncovered a new botnet, dubbed xlabs_v1, which is derived from the notorious Mirai malware. This botnet specifically targets internet-exposed devices running the Android Debug Bridge (ADB) service, enlisting them into a network capable of executing large-scale distributed denial-of-service (DDoS) attacks.
The discovery was made by Hunt.io, a cybersecurity firm, after identifying an unprotected directory on a server located in the Netherlands with the IP address 176.65.139[.]44. This server did not require any authentication, making it vulnerable to exploitation.
The xlabs_v1 malware is equipped with 21 different flood attack variants across TCP, UDP, and raw protocols. Notably, it includes RakNet and OpenVPN-shaped UDP floods, which are capable of bypassing standard consumer-grade DDoS protection measures. This versatility suggests that xlabs_v1 is offered as a DDoS-for-hire service, primarily targeting game servers and Minecraft hosts.
A distinguishing feature of xlabs_v1 is its focus on Android devices with an exposed ADB service on TCP port 5555. Devices such as Android TV boxes, set-top boxes, and smart TVs, which often have ADB enabled by default, are particularly susceptible to this malware.
In addition to an Android application package (APK) named boot.apk, the malware supports multiple architectures, including ARM, MIPS, x86-64, and ARC. This broad compatibility indicates that xlabs_v1 is also designed to compromise residential routers and other Internet of Things (IoT) hardware.
Once a device is infected, the botnet is engineered to receive attack commands from the operator’s control panel, identified as xlabslover[.]lol. It can then generate a flood of malicious traffic on demand, specifically targeting game servers.
Hunt.io elaborated on the malware’s deployment, stating, The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp. The operator’s nine-variant payload list is tailored for devices like Android TV boxes, set-top boxes, smart TVs, and IoT-grade ARM hardware that come with ADB enabled.
Evidence suggests that the DDoS-for-hire service operates on a bandwidth-tiered pricing model. This is inferred from a bandwidth-profiling routine within the malware that collects data on the victim’s bandwidth and geolocation.
This routine opens 8,192 parallel TCP sockets to the nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the control panel. The purpose is to assign each compromised device to a specific pricing tier for paying customers.
Notably, the botnet terminates its operation after sending the bandwidth information in Megabits per second (Mbps). This means the operator must re-infect the device through the same ADB exploitation channel, as the malware lacks a persistence mechanism.
Hunt.io noted, The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs. This design suggests that the operator views bandwidth probing as an infrequent fleet-tier-update operation rather than a per-attack pre-flight check, leading to an exit-and-re-infect cycle as the intended design.
Additionally, xlabs_v1 includes a killer subsystem designed to terminate competing malware, thereby monopolizing the victim device’s full upstream bandwidth for its own DDoS attacks. The identity of the individual or group behind this malware remains unknown, but the threat actor uses the alias Tadashi, as indicated by a ChaCha20-encrypted string embedded in every build of the bot.
Further investigation into the associated infrastructure revealed a VLTRig Monero-mining toolkit on a host with the IP address 176.65.139[.]42. However, it is currently unclear whether these activities are linked to the same threat actor.
Hunt.io assessed, In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork but less sophisticated than the top tier of commercial DDoS-for-hire operations. This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target.
This development coincides with Darktrace’s revelation that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown threat actors to deploy a DDoS botnet. The botnet was downloaded from a remote server (103.177.110[.]202), with attackers taking steps to evade detection.
Darktrace commented, The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.
