xlabs_v1 botnet hijacks ADB-exposed Android TVs and IoT for DDoS-for-hire

A new Mirai variant calling itself xlabs_v1 is enlisting Android-based devices into a DDoS-for-hire network by exploiting Android Debug Bridge services left exposed on TCP port 5555. Hunt.io discovered the operation through an unauthenticated open directory on a Dutch-hosted server, and identified multi-architecture builds (ARM, MIPS, x86-64, ARC) plus an Android APK that drop into /data/local/tmp via ADB-shell pastes. The bot ships 21 flood variants spanning TCP, UDP, and protocol-shaped traffic like RakNet and OpenVPN, tuned to bypass consumer DDoS protection and aimed primarily at game servers and Minecraft hosts.

The operator, going by the handle Tadashi (embedded in a ChaCha20-encrypted string), runs a commercial panel at xlabslover[.]lol with bandwidth-tiered pricing. Each infected device runs a profiling routine that opens 8,192 parallel sockets against the nearest Speedtest server for ten seconds, then reports throughput and geolocation back to the panel for tier assignment. Notably, the malware writes nothing to disk — no init scripts, systemd units, or cron jobs — so operators must re-infect through ADB after each measurement, treating bandwidth probing as a periodic fleet-update step rather than per-attack reconnaissance. A killer subsystem terminates rival malware to monopolize upstream bandwidth.

Targets skew toward Android TV boxes, set-top boxes, smart TVs, and residential routers that ship with ADB enabled by default. Hunt.io characterizes the operation as mid-tier: more capable than script-kiddie Mirai forks but competing on price and attack variety rather than sophistication. Co-located infrastructure also hosts a VLTRig Monero miner, though attribution between the two is unconfirmed. The disclosure lands alongside Darktrace findings of Jenkins honeypots being conscripted into similar gaming-focused DDoS operations.