- A new Mirai-derived botnet called xlabs_v1 is targeting internet-exposed Android devices to build a DDoS-for-hire service.
- The malware specifically hunts for Android Debug Bridge (ADB) enabled devices like smart TVs and Android TV boxes to conscript them into its attack network.
- The operation features bandwidth-tiered pricing for its customers and actively kills competing malware on infected devices.
Cybersecurity researchers at Hunt.io have exposed a new Mirai-derived botnet, named xlabs_v1, that is actively compromising internet-exposed Android devices. According to their detailed report, the malware enlists these devices into a network capable of launching distributed denial-of-service attacks. The botnet is offered as a DDoS-for-hire service designed primarily for targeting game servers and Minecraft hosts.
What makes this threat notable is its focus on Android devices running an exposed ADB service on port 5555. Consequently, many consumer IoT devices like Android TV boxes, set-top boxes, and smart TVs could be potential targets if the tool is enabled by default. The malware supports 21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, which are “capable of bypassing consumer-grade DDoS protection”.
Furthermore, the service features bandwidth-tiered pricing based on a profiling routine that tests each victim’s connection speed. Meanwhile, xlabs_v1 includes a “killer” subsystem to terminate competing malware on infected devices. This ensures the botnet can usurp the victim’s full upstream bandwidth for its own DDoS attacks.
The operator, who goes by the moniker “Tadashi,” does not implement persistence mechanisms on the infected devices. Therefore, the botnet disappears after sending bandwidth data, requiring the operator to re-infect the device through the same ADB channel. Separately, a VLTRig Monero-mining toolkit was discovered on co-located infrastructure, though its connection to the botnet operation is unclear.
This development coincides with a report from Darktrace, which revealed its honeypot network was targeted to deploy a similar DDoS botnet. The company said the presence of game-specific techniques highlights that the gaming industry continues to be extensively targeted.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
