Cybersecurity researchers have discovered a new Mirai-based botnet calling itself xlabs_v1. Detected by Hunt.io on a server hosted in the Netherlands, this malware compromises internet-exposed devices, incorporating them into a DDoS-for-hire network specifically targeting gaming and Minecraft servers. The most notable feature of this botnet is that it searches for devices with the Android Debug Bridge (ADB) service left open on TCP port 5555 by default. Android TV boxes, set-top boxes, and smart TVs are among the potential targets. However, the malware is not limited to Android; it also supports ARM, MIPS, x86-64, and ARC architectures, allowing it to spread to home routers and IoT hardware.

The infection process is carried out directly into the device's temporary directories via ADB-shell commands. Looking at its technical capacity, xlabs_v1 offers 21 different attack variants over TCP, UDP, and raw protocols. Notably possessing variants capable of bypassing consumer-grade DDoS protections, this malware also features a custom "killer" subsystem that wipes out competing malware on the device. Thanks to this system, the device's entire bandwidth can be reserved solely for the attacks of this threat actor, who uses the alias "Tadashi". It is also understood that the threat actor has established an interesting commercial business model for their rental service. To measure the internet speed of the compromised device, the malware initiates thousands of parallel connections to the nearest Speedtest server to conduct a capacity test.

The resulting data transfer rate results are sent to the operator panel, thereby offering customers a tiered pricing model based on the victims' bandwidth. Interestingly, the botnet does not write itself to the disk or interfere with startup settings to achieve persistence on the device. According to researchers, this is a deliberate design choice by the operator, who prefers to keep the network fresh by continuously re-infecting vulnerable devices through the same ADB vulnerability rather than establishing persistence. Ultimately, xlabs_v1 stands out as a mid-level yet dangerous botnet operation that is more advanced than standard Mirai variants, attempting to gain market share through affordable pricing and attack diversity rather than technical complexity.

Some of the measures we need to take to protect against these types of IoT and Botnet attacks include:

• Closing Unnecessary Services and Ports

• Network Segmentation (Isolation)

• Hardware and Software Updates

• Traffic and Bandwidth Monitoring

• Changing Default Configurations

  
  

For detailed information, you can contact our experts at info@zerosecond.ae.