Full Report
Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted
Analysis Summary
# Tool/Technique: xlabs_v1 Botnet
## Overview
xlabs_v1 is a Mirai-derived DDoS (Distributed Denial-of-Service) botnet that specifically targets Android devices and IoT hardware via exposed Android Debug Bridge (ADB) services. It functions as a DDoS-for-hire service, primarily marketing its capabilities for disrupting gaming servers and Minecraft hosts.
## Technical Details
- **Type:** Malware Family (Mirai variant)
- **Platform:** Android (TV boxes, smart TVs), Linux (IoT devices, residential routers)
- **Capabilities:** DDoS (21 flood variants), Bandwidth profiling, Competitor termination ("Killer" subsystem)
- **First Seen:** Reported May 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application] (Exposed ADB on TCP 5555)
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell] (ADB-shell pastes)
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery] (Bandwidth and geolocation profiling)
- **[TA0040 - Impact]**
- [T1498.001 - Network Denial of Service: Direct Network Flood]
## Functionality
### Core Capabilities
- **Multi-Architecture Support:** Compiled for ARM, MIPS, x86-64, and ARC to infect a wide range of IoT devices.
- **ADB Exploitation:** Targets TCP port 5555 to deliver payloads to unauthenticated Android devices.
- **DDoS Flooding:** Supports 21 different flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP.
- **C2 Communication:** Receives commands from a central operator panel to initiate specific attack vectors.
### Advanced Features
- **Bandwidth Profiling:** Contains a routine to saturate 8,192 parallel TCP sockets to determine the device's uplink speed, used to categorize bots into pricing tiers.
- **Competitor "Killer":** A subsystem designed to identify and terminate other malware processes on the same device to ensure exclusive use of the victim's bandwidth.
- **ChaCha20 Encryption:** Used to encrypt internal strings, including the operator's moniker.
- **Stateless Operation:** Notably lacks a persistence mechanism; the bot exits after reporting bandwidth data, requiring the operator to re-infect the device for actual attacks.
## Indicators of Compromise
- **File Names:** `boot.apk`, `xlabs_v1`
- **Network Indicators:**
- `176.65.139[.]44` (Exposed delivery directory)
- `xlabslover[.]lol` (C2 Panel)
- `176.65.139[.]42` (Co-located infrastructure)
- **Behavioral Indicators:**
- Large volume of parallel TCP sockets opened to Speedtest servers.
- ADB shell commands targeting `/data/local/tmp`.
- High volume of junk traffic over port 5555.
## Associated Threat Actors
- **Tadashi** (Moniker identified via encrypted strings)
## Detection Methods
- **Signature-based:** Monitoring for Mirai-derived binaries and Android APKs with the name `boot.apk`.
- **Behavioral:** Identify anomalous outbound traffic on TCP port 5555 (ADB) or sudden saturation of bandwidth following ADB activity.
- **Protocol Analysis:** Detection of RakNet or OpenVPN-shaped UDP traffic not directed at legitimate VPN/game endpoints.
## Mitigation Strategies
- **Disable ADB:** Ensure Android Debug Bridge is disabled on production devices and consumer electronics (Smart TVs, etc.) unless strictly necessary.
- **Network Hardening:** Block external access to TCP port 5555 at the perimeter firewall.
- **Default Credential Management:** While xlabs_v1 uses ADB, ensuring all IoT management interfaces are password-protected is a key Mirai-defense strategy.
- **Device Updates:** Keep Android TV and IoT firmware updated to close known vulnerabilities.
## Related Tools/Techniques
- **Mirai:** The original source code family from which xlabs_v1 is derived.
- **Satori/Fbot:** Other Mirai variants known for specifically targeting ADB.
- **VLTRig:** A Monero-mining toolkit found on associated infrastructure.