What happened
Hunt.io researchers have identified a new Mirai-derived botnet called xlabs_v1 that targets internet-exposed devices running Android Debug Bridge on TCP port 5555, enlisting them into a DDoS-for-hire network primarily aimed at game servers and Minecraft hosts. The discovery was made after researchers identified an exposed, unauthenticated directory on a Netherlands-hosted server.
The botnet targets Android TV boxes, set-top boxes, smart TVs, and IoT hardware that ships with ADB enabled by default, delivering a malicious APK through ADB shell commands into /data/local/tmp. Multi-architecture builds covering ARM, MIPS, x86-64, and ARC indicate the botnet also targets residential routers and broader IoT hardware. The malware supports 21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP designed to bypass consumer-grade DDoS protection.
A notable design feature is the botnet’s bandwidth profiling routine, which opens 8,192 parallel TCP sockets to the nearest Speedtest server, saturates them for 10 seconds, and reports the measured bandwidth back to the operator’s panel. This data is used to assign each compromised device to a pricing tier for paying customers of the DDoS-for-hire service. The botnet lacks a persistence mechanism and exits after reporting bandwidth, requiring the operator to re-infect each device through the same ADB exploitation channel before each use. A killer subsystem terminates competing malware on infected devices to claim the full upstream bandwidth. The threat actor behind the botnet goes by the moniker Tadashi, embedded as a ChaCha20-encrypted string in every build.
Who is affected
Organizations and operators running internet-exposed ADB services on Android-based devices face direct exposure. Game server operators are the primary intended targets of the DDoS service. Consumer IoT device owners whose equipment ships with ADB enabled and internet-accessible face compromise and enrollment into the botnet without their knowledge.
Why CISOs should care
ADB is a developer tool that has no place being exposed to the public internet on production or consumer devices, but many Android-based IoT products ship with it enabled by default and remain unpatched in deployed environments indefinitely. The xlabs_v1 campaign is a reminder that the IoT attack surface in enterprise environments, including smart displays, set-top boxes, and conference room devices running Android, can provide a foothold for DDoS infrastructure that consumes network bandwidth and may serve as a staging point for broader activity. The co-located Monero mining toolkit on adjacent infrastructure also suggests this operator or associated actors are running multiple monetization streams from the same device population.
3 practical actions
- Audit your environment for Android-based devices with ADB enabled and accessible on TCP port 5555: Any device in your network with an exposed ADB service is a candidate for xlabs_v1 infection. Scan for port 5555 exposure across all network segments including guest, IoT, and conference room networks, and disable ADB on any device where it is not operationally required.
- Segment IoT and Android-based devices onto isolated network zones with outbound traffic restrictions: IoT devices that cannot be updated or have ADB disabled should be isolated on dedicated VLANs with outbound internet access restricted to only the specific destinations required for their function, preventing them from being used as DDoS attack nodes even if compromised.
- Monitor for anomalous outbound TCP connection bursts from IoT devices as a botnet enrollment indicator: The bandwidth profiling routine opens 8,192 parallel TCP sockets simultaneously. Network monitoring that flags unusual outbound connection volume from IoT device segments provides an early warning of compromise, even without signature-based detection of the specific malware.
Also in the news today:
- CMS Provider Directory Database Found Leaking Healthcare Providers’ Social Security Numbers
- RXNT Healthcare Software Breach Exposes Patient Data Across Multiple Provider Clients
- CISA Launches CI Fortify to Prepare Critical Infrastructure for Geopolitical Cyber Conflict
- Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover
- MuddyWater Hackers Use Chaos Ransomware as a Decoy in Espionage Attacks
- Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks
