Cybersecurity researchers at Hunt.io have identified a new Mirai-derived botnet called xlabs_v1 that exploits exposed Android Debug Bridge services to launch DDoS attacks against gaming servers and infrastructure.

Key Points

• The xlabs_v1 botnet targets Android TV boxes, smart TVs, and IoT devices with exposed ADB services on TCP port 5555.
• Malware operators use a "DDoS-for-hire" model, offering 21 different flood variants capable of bypassing standard consumer-grade protection.
• The botnet includes a bandwidth-profiling routine that measures device speed to assign compromised hardware into specific pricing tiers for customers.
• The malware lacks persistence mechanisms, requiring operators to re-infect devices through the ADB channel to maintain control or update fleet data.
• Researchers discovered the infrastructure, linked to an actor using the moniker "Tadashi," hosted on servers in the Netherlands.

Why it Matters

This botnet highlights the ongoing security risks posed by internet-exposed consumer hardware that ships with default administrative tools enabled. By commoditizing DDoS attacks against the gaming industry, these operators create a scalable threat that forces server administrators to implement more robust traffic mitigation strategies.