top of page
perceptive_background_267k.jpg

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

Published:

6 May 2026 at 20:21:00

Alert date:

6 May 2026 at 21:05:32

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Ransomware & Malware, Network Infrastructure

Cybersecurity researchers have discovered a new Mirai-derived botnet called xlabs_v1 that targets internet-exposed devices running Android Debug Bridge (ADB). The botnet hijacks IoT devices to build a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io researchers made the discovery after identifying an exposed directory on a Netherlands-hosted server. This represents an active threat campaign targeting vulnerable IoT devices through ADB exploitation for malicious botnet operations.

Technical details

xlabs_v1 is a Mirai-derived botnet that targets internet-exposed devices running Android Debug Bridge (ADB) on TCP port 5555. It supports 21 flood variants across TCP, UDP, and raw protocols including RakNet and OpenVPN-shaped UDP capable of bypassing consumer-grade DDoS protection. The malware supports multi-architecture builds covering ARM, MIPS, x86-64, and ARC. It features a bandwidth-profiling routine that opens 8,192 parallel TCP sockets to geographically nearest Speedtest servers, saturates them for 10 seconds, and reports measured data transfer rate back to the control panel. The bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp. It includes a 'killer' subsystem to terminate competitors and lacks persistence mechanisms, requiring re-infection after bandwidth profiling. Contains ChaCha20-encrypted strings embedded in every build.

Mitigation steps:

Ensure appropriate mitigations are in place for game servers. Disable or secure Android Debug Bridge (ADB) services on internet-exposed devices. Monitor for connections to suspicious IPs and domains. Implement proper DDoS protection measures beyond consumer-grade solutions.

Affected products:

Android Debug Bridge (ADB)
Android TV boxes
Set-top boxes
Smart TVs
Residential routers
IoT hardware
Jenkins instances
Game servers
Minecraft hosts

Related links:

https://thehackernews.com/2025/01/mirai-botnet-launches-record-56-tbps.html
https://developer.android.com/tools/adb
https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed#Infrastructure_Analysis
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games

Related CVE's:

Related threat actors:

IOC's:

176.65.139.44, xlabslover.lol, boot.apk, 176.65.139.42, 103.177.110.202, /data/local/tmp

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page