250/69 Friday, May 8, 2026
Cybersecurity researchers from Hunt.io have disclosed the discovery of a new Mirai-based botnet named “xlabs_v1,” which specifically targets devices exposing Android Debug Bridge (ADB) services over TCP port 5555. The botnet primarily focuses on Android TV boxes, smart TVs, set-top boxes, home routers, and various IoT devices supporting ARM, MIPS, and x86-64 architectures. xlabs_v1 is designed as a DDoS-for-hire platform, with gaming servers and Minecraft hosting providers identified as primary targets. The malware reportedly supports 21 different attack methods, including TCP, UDP, and raw protocol floods, as well as traffic spoofing techniques that imitate RakNet and OpenVPN traffic to evade basic DDoS protection systems.
One of the most distinctive features of xlabs_v1 is its built-in bandwidth benchmarking system for compromised devices. The malware opens up to 8,192 parallel TCP socket connections to nearby Speedtest servers, measures network throughput, and sends the results back to its control panel, where infected devices are categorized and priced for customers. Unlike many modern botnets, xlabs_v1 lacks persistence mechanisms, forcing operators to repeatedly reinfect devices through exposed ADB services after bandwidth testing is completed. The malware also includes a “killer subsystem” designed to terminate competing malware infections in order to monopolize the victim’s internet resources for DDoS operations. Researchers identified the alias “Tadashi” embedded within the malware as ChaCha20-encrypted strings across multiple command modules.
Hunt.io assessed xlabs_v1 as moderately sophisticated compared to major commercial DDoS-for-hire operations. While more advanced than traditional Mirai variants, it does not yet demonstrate the operational maturity of high-end cybercriminal groups. The developers appear to compete primarily through pricing strategies and the variety of supported attack methods, focusing on consumer IoT devices, residential routers, and smaller game server providers. Meanwhile, Darktrace also reported observing threat actors abusing misconfigured Jenkins servers to deploy similar botnet malware, highlighting the gaming industry’s continued exposure to cyber threats. Administrators are strongly advised to disable unnecessary ADB services and regularly review the security configurations of IoT devices to reduce the risk of compromise.
Source https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html