8,192 parallel TCP sockets: that is how the newly disclosed Mirai-derived botnet xlabs_v1 measures a device's bandwidth to slot it into a commercial pricing tier, according to Hunt.io's technical analysis.
How xlabs_v1 finds and infects devices via exposed ADB (port 5555)
Hunt.io says xlabs_v1 explicitly seeks internet-exposed Android Debug Bridge (ADB) services running on TCP port 5555. Devices that ship with ADB enabled by default — examples cited by Hunt.io include Android TV boxes, set-top boxes, and smart TVs — are at risk. The malware is delivered via ADB-shell pastes into /data/local/tmp and includes an Android APK named "boot.apk."
Builds are multi-architecture, covering ARM, MIPS, x86-64, and ARC, indicating the operator intends to target not only Android devices but also residential routers and other IoT-grade hardware. Hunt.io adds that the bot is "statically-linked ARMv7" and "runs on stripped Android firmwares," underscoring the focus on embedded and appliance-style platforms.
Attack capabilities: 21 flood variants, killer subsystem, and DDoS-for-hire intent
The malware supports "21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection," Hunt.io reports. The botnet is offered as a DDoS-for-hire service that specifically targets game servers and Minecraft hosts, with an operator control panel reachable at "xlabslover[.]lol" used to trigger attacks.
xlabs_v1 contains a "killer" subsystem designed to terminate competing malware on a victim device so the botnet can monopolize upstream bandwidth. Every build embeds a ChaCha20-encrypted string that references the moniker "Tadashi," though "it is currently not known who is behind the malware," Hunt.io states.
Bandwidth-profiling, pricing tiers, and the re-infect design
Hunt.io reports that xlabs_v1 includes a bandwidth-profiling routine that attempts to place compromised devices into pricing tiers. The routine opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server, saturates them for 10 seconds, and reports the measured data transfer rate back to the operator panel in Megabits per second (Mbps). That measurement is used to assign each device to a billing tier for paying customers.
Crucially, Hunt.io notes the bot does not establish persistence: "The bot does not write itself to disk persistence locations, does not modify init scripts, does not create systemd units, and does not register cron jobs." Because the bot exits after sending bandwidth information, the operator must re-infect devices a second time through the same ADB exploitation channel to prepare them for attack — a deliberate exit-and-re-infect cycle, Hunt.io says.
Co-located infrastructure and actor assessment
Hunt.io discovered the malware while finding an exposed directory on a Netherlands-hosted server at IP 176.65.139[.]44 that required no authentication. Further analysis of co-located infrastructure uncovered a VLTRig Monero-mining toolkit on host 176.65.139[.]42, though "it is currently not known if the two sets of activities are the work of the same threat actor," Hunt.io cautions.
Hunt.io characterizes the operation as commercially oriented and mid-tier: "In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork [...], but less sophisticated than the top tier of commercial DDoS-for-hire operations," the company wrote. "This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target."
What this means for game servers, owners of Android TV/set-top devices, and small game-server operators
- Game servers and Minecraft hosts: xlabs_v1 is explicitly sold to target these services; Darktrace warns that "The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers" and advises that server operators ensure appropriate mitigations are in place.
- Owners of Android TV boxes, set-top boxes, and smart TVs: devices that expose ADB on port 5555 are identified as potential recruits for the botnet. Hunt.io's findings show those appliances — and other devices shipped with ADB enabled — are primary attack vectors for xlabs_v1.
- Small game-server operators and residential network operators: Hunt.io says the operator competes on price and attack variety, making small operators likely targets; the bot's "killer" subsystem also raises the risk that a compromised device's bandwidth can be seized from other malware to amplify attacks.
Darktrace's parallel finding — that an intentionally misconfigured Jenkins instance in its honeypot was targeted to deploy a DDoS botnet downloaded from 103.177.110[.]202 — complements Hunt.io's work by showing attackers are combining delivery and evasion techniques while continuing to focus on game-specific DoS methods.
xlabs_v1 presents a commercialized, measured approach to building a DDoS fleet: it probes devices for capacity, sorts them by bandwidth, exits without persisting, and relies on repeated ADB exploitation and operator orchestration to launch attacks. The operator's identity remains unknown, the panel and co-located infrastructure point to a priced-for-hire operation, and the immediate targets named by the researchers — consumer IoT, residential routers, and small game-server operators — are concrete and specific.
https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html




