New Mirai-Derived Botnet Targets Android Devices for DDoS Attacks
Cybersecurity researchers have identified a new botnet derived from the notorious Mirai malware. This emerging threat, self-identifying as “xlabs_v1,” specifically targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them into a network capable of launching significant distributed denial-of-service (DDoS) attacks. The discovery highlights a persistent and evolving threat landscape for connected devices, particularly those commonly found in smart homes and entertainment systems.
Hunt.io, a cybersecurity research firm, detailed the malware’s operation after discovering an unsecured directory on a Netherlands-hosted server. This exposed server, located at IP address 176.65.139[.]44, allowed access to the malware’s components without any form of authentication. This ease of access points to potential vulnerabilities in how some network infrastructure is configured and secured.
Capabilities and Targeting of xlabs_v1
The xlabs_v1 botnet is engineered for a variety of attack vectors, boasting support for 21 different flood variants across TCP, UDP, and raw protocols. Notably, it includes sophisticated UDP floods that mimic RakNet and OpenVPN traffic, designed to bypass standard consumer-grade DDoS protection mechanisms. This makes it a potent tool for adversaries seeking to disrupt online services.
The malware’s primary targeting strategy is its exploitation of Android devices with an exposed ADB service, typically running on TCP port 5555. This opens up a wide range of potential targets, including Android TV boxes, set-top boxes, and smart TVs, many of which come with ADB enabled by default. Hunt.io indicated that the malware is offered as a DDoS-for-hire service, with a particular focus on disrupting game servers and Minecraft hosts.
Beyond its Android APK component, dubbed “boot.apk,” xlabs_v1 demonstrates multi-architecture support, covering ARM, MIPS, x86-64, and ARC. This suggests that the botnet is also designed to compromise residential routers and other Internet of Things (IoT) hardware, expanding its potential attack surface considerably. The ultimate goal is to create a botnet that can execute large-scale DDoS attacks on demand through a centralized operator panel found at “xlabslover[.]lol.”
As explained by Hunt.io, the bot component is a statically-linked ARMv7 executable that runs on stripped-down Android firmware. It is delivered via ADB-shell commands, specifically piped into the /data/local/tmp directory. The nine-variant payload list employed by the operator is specifically tuned to exploit vulnerabilities in Android TV boxes, set-top boxes, smart TVs, and other ARM-based IoT hardware that often ships with ADB enabled.
Bandwidth-Tiered Pricing and Persistence Challenges
Evidence suggests that the xlabs_v1 DDoS-for-hire service utilizes a bandwidth-tiered pricing model. This is inferred from a bandwidth-profiling routine that collects data on the victim device’s bandwidth capacity and geographical location. The bot opens as many as 8,192 parallel TCP sockets to nearby Speedtest servers, saturating them for a short period to measure the achievable data transfer rate.
This measured bandwidth data is then reported back to the operator’s control panel. The objective is to categorize each compromised device into a specific pricing tier for paying customers. A crucial point regarding the botnet’s operation is that it lacks a robust persistence mechanism. After sending its bandwidth information, which is reported in Megabits per second (Mbps), the operator must re-infect the device using the same ADB exploitation channel if they wish to command it for an attack.
“The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs,” Hunt.io stated. This design suggests the operator views bandwidth probing as an infrequent fleet-tier update operation rather than a critical pre-attack check. The resulting exit-and-re-infect cycle appears to be an intentional design choice.
Competition and Evolving Threats
Adding to its capabilities, xlabs_v1 includes a “killer” subsystem. This component is designed to terminate processes belonging to rival botnets, thereby freeing up the victim device’s upstream bandwidth for xlabs_v1’s exclusive use in DDoS attacks. While the identity of the main threat actor remains unknown, a ChaCha20-encrypted string embedded in every bot build indicates the operator uses the moniker “Tadashi.”
Further investigation into the infrastructure hosting xlabs_v1 uncovered a VLTRig Monero-mining toolkit on an adjacent host, 176.65.139[.]42. It is currently unclear whether these two distinct malicious activities are orchestrated by the same threat actor or represent separate operations sharing infrastructure.
Hunt.io categorizes xlabs_v1 as a “mid-tier” threat, indicating it is more sophisticated than typical Mirai forks made for casual exploitation but falls short of the most advanced commercial DDoS-for-hire operations. The operator appears to be competing primarily on price and attack variety rather than sheer technical sophistication. The typical targets are consumer IoT devices, residential routers, and operators of small game servers.
This development occurs as Darktrace reported a separate incident where an intentionally misconfigured Jenkins instance in their honeypot network was targeted by unknown actors. These attackers deployed a DDoS botnet, downloaded from a remote server (103.177.110[.]202), while simultaneously employing evasion techniques. The presence of game-specific DoS methods underscores the continued targeting of the gaming industry by cyber attackers. Server operators are strongly advised to ensure appropriate security mitigations are in place to defend against such ongoing threats.