Mirai-Based xlabs_v1 Botnet Hijacks ADB-Exposed Android Devices to Hit Minecraft Servers
Researchers uncovered xlabs_v1, a Mirai-derived botnet that compromises internet-exposed Android and IoT devices with ADB enabled on TCP port 5555 and repurposes them for DDoS-for-hire attacks, with a strong focus on Minecraft and other game servers. Hunt.io traced the operation to bulletproof-hosted infrastructure in the Netherlands, including an exposed server at 176.65.139[.]44 and a control panel tied to xlabslover[.]lol. The malware drops a bot binary into /data/local/tmp/, disguises itself as /bin/bash, decrypts configuration data with ChaCha20, and communicates with command-and-control over TCP port 35342. Analysts also found an embedded operator handle, "Tadashi," though attribution remains unconfirmed.
The botnet supports 21 flood methods across TCP, UDP, and raw protocols, including a RakNet flood capability tailored to disrupt Minecraft services, and it even serves its bot binary over TCP port 25565, the default Minecraft server port. Hunt.io said the malware profiles victim bandwidth by opening 8,192 parallel TCP sockets to nearby Speedtest servers, likely to sort infected devices into service tiers for customers. The malware also includes a built-in killer to remove competing malware and a fallback access path on TCP port 26721, but it lacks persistence and must reinfect devices through the same exposed ADB route. Separately, Darktrace reported threat actors abusing a deliberately misconfigured Jenkins honeypot to deploy another DDoS botnet, underscoring continued targeting of gaming-related infrastructure.
How this story unfolded
3 events from the earliest known activity through the most recent confirmed update.
Hunt.io discovers xlabs_v1 botnet infrastructure in early April 2026
Hunt.io identified a new Mirai-based botnet operation, xlabs_v1, after finding exposed tooling and an unauthenticated directory on Netherlands-hosted infrastructure tied to Offshore LC. The exposed assets revealed binaries, payloads, proxy credentials, and operational details about the botnet.
Researchers document xlabs_v1 targeting ADB-exposed Android and IoT devices
Analysis showed xlabs_v1 compromises internet-exposed Android and IoT devices with ADB enabled on TCP port 5555, then uses them in a DDoS-for-hire operation aimed largely at Minecraft and other game servers. Researchers also identified tailored capabilities including RakNet flooding, competitor malware killing, bandwidth profiling, and C2 communications with xlabslover[.]lol over TCP port 35342.
The Hacker News reports additional technical details on xlabs_v1
Further reporting said the botnet supports 21 flood methods across TCP, UDP, and raw protocols, lacks persistence, and reinfects devices through repeated ADB exploitation. The report also noted attribution remained limited to the embedded handle “Tadashi.”
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
From Android TVs to routers: the xlabs_v1 Mirai-based botnet built for DDoS attacks
securityaffairs.com
Open sourceMirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks
thehackernews.com
Open sourceNew xlabs_v1 Botnet Targets Minecraft Servers Through ADB-Exposed Android Devices
cybersecuritynews.com
Open sourceInside BeatBanker / BTMOB: Static Analysis of TV_V_23.apk, a Multi-Stage Android Banking Malware Platform | Ostorlab: Mobile App Security Testing for Android and iOS
blog.ostorlab.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Masjesu IoT Botnet Powers Stealthy DDoS-for-Hire Attacks
Researchers reported that the **Masjesu** botnet, also tracked as **XorBot**, has been operating since early 2023 as a **DDoS-for-hire** service promoted on Telegram. The malware targets internet-exposed routers, gateways, cameras, DVRs, NVRs, and other embedded devices across multiple CPU architectures, exploiting known command-injection and remote code execution flaws in products from vendors including **D-Link, Huawei, NETGEAR, TP-Link, and GPON**. Trellix said the botnet is engineered for stealth and longevity, using XOR-based obfuscation, runtime decryption, persistence mechanisms, process spoofing, and multi-domain command-and-control infrastructure with fallback IPs. Once installed, Masjesu opens a hard-coded TCP port `55988` for direct operator access, suppresses termination signals, kills utilities such as `wget` and `curl`, and connects to external servers for attack instructions. The operators reportedly avoid scanning or infecting high-profile ranges such as **U.S. Department of Defense** networks to reduce scrutiny, while advertising the botnet's geographic spread and attack capacity. Observed traffic has been concentrated in **Vietnam** and also seen from **Ukraine, Iran, Brazil, Kenya, and India**, with the botnet used to launch **TCP, UDP, and HTTP flood** attacks against CDNs, game servers, and enterprises, including volumes reported at roughly **290 Gbps**.
Apr 22, 2026
Nexcorium Mirai Variant Exploits TBK DVR Flaw to Build IoT DDoS Botnet
Fortinet and other reporting identified **Nexcorium**, a Mirai-derived malware strain targeting Internet of Things devices, particularly **TBK DVR-4104** and **DVR-4216** video recorder systems used with security cameras. The campaign exploits **`CVE-2024-3721`**, an OS command injection flaw, to run a downloader script that retrieves malware binaries for multiple Linux architectures. Fortinet linked the activity to a suspected actor it calls **Nexus Team**, citing the custom HTTP header `X-Hacked-By: Nexus Team – Exploited By Erratic.` Once installed, Nexcorium uses classic Mirai-style scanner, watchdog, and attack modules, establishes persistence through mechanisms including init, `rc.local`, systemd, and cron, and spreads further through brute-force Telnet activity, default-password abuse, and exploitation of **`CVE-2017-17215`** in Huawei HG532 devices. The malware performs self-checks, replication, and self-deletion to improve resilience and evasion, then connects to the command-and-control domain `r3brqw3d[.]b0ats[.]top` to receive instructions for **DDoS** operations, including UDP, TCP SYN, TCP ACK, SMTP, and VSE query floods.
Apr 22, 2026
Jenkins `scriptText` Exploited to Deploy DDoS Botnet Targeting Game Servers
Darktrace reported that a threat actor exploited a weakly protected Jenkins honeypot by abusing the `scriptText` endpoint for remote code execution, then deployed a cross-platform botnet designed to attack online game infrastructure. The intrusion used a single IP address, `103[.]177.110.202`, for payload delivery, initial access support, and command-and-control—an unusual consolidation of attacker infrastructure. The malicious Jenkins script delivered separate Windows and Linux payloads, with the Windows variant adding a firewall rule for TCP port `5444` and the Linux variant establishing stealth and persistence after execution. Analysis of the Linux malware showed it deleted its original executable, renamed itself to resemble legitimate kernel worker processes, daemonized itself, suppressed I/O, and ignored termination signals, including using Jenkins-specific environment variables to avoid being killed. The botnet accepted commands such as `PING`, `!stop`, and `!update`, and supported several denial-of-service techniques including UDP floods, TCP push floods, HTTP floods, and Valve Source Engine query abuse aimed at gaming servers. Darktrace assessed the activity as opportunistic exploitation of exposed or misconfigured internet-facing Jenkins systems to build DDoS capacity against the gaming sector.
May 4, 2026