xlabs_v1 botnet hijacks ADB-exposed Android devices

Researchers uncovered xlabs_v1, a Mirai-derived botnet that exploits exposed Android Debug Bridge (ADB) on TCP port 5555 to recruit Android TVs, set-top boxes, smart TVs, residential routers and other IoT devices into a DDoS-for-hire network aimed at game servers.

The campaign was identified after Hunt.io found an unauthenticated directory on a Netherlands-hosted server at 176.65.139[.]44 that contained malware and control infrastructure. The operator’s control panel is hosted at xlabslover[.]lol.

The botnet supports 21 flood variants across TCP, UDP and raw protocols, including RakNet and an OpenVPN-shaped UDP flood designed to bypass consumer-grade DDoS protections. The malware is offered as a service for disrupting game hosts, including Minecraft servers.

xlabs_v1 actively scans the internet for devices running an exposed ADB service on the default TCP 5555 port. Many Android TV boxes, set-top boxes and some consumer devices ship with ADB enabled or allow users to enable it, creating an exposure point.

The operator maintains multi-architecture payloads for ARM, MIPS, x86-64 and ARC hardware. Hunt.io noted an Android APK named boot.apk and described the ARM build as a statically-linked ARMv7 binary that runs on stripped Android firmwares and is delivered through ADB-shell pastes into /data/local/tmp. The operator offers nine payload variants tuned for ARM-based consumer devices.

Once a device is compromised, the control panel can issue commands that generate large application-level traffic floods on demand.

The malware includes a bandwidth-profiling routine that opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured rate in megabits per second back to the panel. Hunt.io wrote that the bot does not establish persistence and is removed after profiling, which requires the operator to re-infect devices.

xlabs_v1 also contains a ‘killer’ subsystem that terminates rival malware processes to free upstream capacity for attacks. Each build contains a ChaCha20-encrypted string that points to an operator using the alias Tadashi; the owner’s real identity is unknown.

Hunt.io found related infrastructure activity on a nearby host, 176.65.139[.]42, where a VLTRig Monero-mining toolkit was present. It is not clear whether the mining and DDoS activity are managed by the same actor. Hunt.io assessed the service as mid-tier commercial criminal activity that competes on price and attack variety.

Darktrace observed that a deliberately misconfigured Jenkins instance in a honeypot was targeted to download a DDoS botnet from 103.177.110[.]202 and that the malware included game-specific denial-of-service techniques.

Researchers continue to track xlabs_v1 infrastructure and related hosts as they assess the scope of infections and any commercial offerings tied to the control panel.