Mirai-Based xlabs_v1 Botnet Targets Exposed ADB on IoT Devices for DDoS Attacks
Cybersecurity researchers have unveiled a new botnet, identified as xlabs_v1, which is derived from the notorious Mirai malware. This botnet specifically targets internet-exposed devices that run the Android Debug Bridge (ADB), enabling it to enlist these devices in a network capable of executing distributed denial-of-service (DDoS) attacks.
Discovery of xlabs_v1
The malware was detailed by Hunt.io, which discovered it after identifying an unprotected directory on a server located in the Netherlands, specifically at the IP address “176.65.139[.]44.” This exposure did not require any authentication, highlighting a significant vulnerability in the configuration of the server.
Hunt.io reported that xlabs_v1 supports 21 flood variants across various protocols, including TCP, UDP, and raw protocols like RakNet and OpenVPN-shaped UDP. This capability allows it to bypass typical consumer-grade DDoS protections. The botnet is marketed as a DDoS-for-hire service, primarily aimed at game servers and Minecraft hosts.
Targeting Vulnerable Devices
What sets xlabs_v1 apart is its focus on Android devices that have an exposed ADB service running on TCP port 5555. This means that any device with ADB enabled by default—such as Android TV boxes, set-top boxes, and smart TVs—could potentially be compromised.
In addition to an Android APK named “boot.apk,” the malware supports multi-architecture builds, covering ARM, MIPS, x86-64, and ARC. This design indicates that xlabs_v1 is also tailored to target residential routers and various Internet of Things (IoT) devices.
The botnet is engineered to receive attack commands from an operator’s panel, identified as “xlabslover[.]lol.” It can generate a flood of junk traffic on demand, specifically targeting game servers.
Technical Specifications and Functionality
The botnet is statically linked to ARMv7 architecture and operates on stripped-down Android firmware. Hunt.io explained that the malware is delivered through ADB-shell pastes into the /data/local/tmp directory. The operator maintains a nine-variant payload list optimized for devices like Android TV boxes and IoT-grade ARM hardware that come with ADB enabled.
Evidence suggests that the DDoS-for-hire service employs a bandwidth-tiered pricing model. This is based on a bandwidth-profiling routine that collects both the victim’s bandwidth and geolocation data. The botnet opens 8,192 parallel TCP sockets to the nearest Speedtest server, saturating them for 10 seconds to measure the data transfer rate. This information is then relayed back to the operator’s panel, allowing for the assignment of each compromised device to a specific pricing tier for customers.
An important aspect of xlabs_v1 is its lack of persistence mechanisms. After sending bandwidth information in Megabits per second (Mbps), the operator must re-infect the device through the same ADB exploitation channel. The bot does not write itself to disk, modify init scripts, create systemd units, or register cron jobs. This design indicates that the operator considers bandwidth probing an infrequent operation rather than a routine pre-attack check.
Competitive Features and Threat Landscape
xlabs_v1 includes a “killer” subsystem designed to terminate competing malware, thereby allowing it to monopolize the victim device’s upstream bandwidth for its DDoS operations. The identity of the individual or group behind the malware remains unknown, but the threat actor is known by the alias “Tadashi,” as evidenced by a ChaCha20-encrypted string embedded in every build of the bot.
Further analysis of the infrastructure associated with xlabs_v1 has revealed the presence of a VLTRig Monero-mining toolkit on a separate host (176.65.139[.]42). It remains unclear whether these activities are linked to the same threat actor.
In commercial terms, xlabs_v1 is classified as a mid-tier botnet. It exhibits more sophistication than typical script-kiddie Mirai forks but lacks the advanced features found in top-tier commercial DDoS-for-hire operations. This operator competes primarily on price and attack variety, targeting consumer IoT devices, residential routers, and small game-server operators.
Broader Implications for Cybersecurity
The emergence of xlabs_v1 coincides with findings from Darktrace, which reported that an intentionally misconfigured Jenkins instance in its honeypot network was targeted by unknown actors to deploy a DDoS botnet downloaded from a remote server (“103.177.110[.]202”). This incident underscores the ongoing threat posed to the gaming industry, which continues to be a prime target for cyber attackers.
The presence of game-specific DDoS techniques in xlabs_v1 highlights the need for server operators to implement robust mitigations. As the landscape of cyber threats evolves, the gaming sector must remain vigilant against increasingly sophisticated attacks.
For more information on the xlabs_v1 botnet and its implications, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
