Researchers from Hunt.io have discovered a new botnet based on Mirai, identifying itself as xlabs_v1, which exploits devices with an open Android Debug Bridge (ADB) service on TCP port 5555. At risk are Android TV boxes, Smart TVs, media players, and IoT equipment shipped with ADB enabled by default. According to the researchers, the botnet is being offered as a commercial service for conducting DDoS attacks, primarily targeting game servers and Minecraft hosting. Owners of any Android-based devices with network access to port 5555 are advised to immediately disable ADB or block the port at the firewall level.

How the Botnet Was Discovered

As reported, Hunt.io identified an open directory on a server in the Netherlands at 176.65.139[.]44, accessible without any authentication. Analysis of its contents made it possible to reconstruct a complete picture of the malware’s functionality, its command-and-control infrastructure, and the operator’s business model.

Technical Characteristics of the Malware

According to the researchers, xlabs_v1 supports 21 variants of flood attacks over TCP, UDP, and at the raw packet level, including UDP traffic that mimics RakNet and OpenVPN. This variety of methods presumably helps it bypass basic DDoS protection mechanisms.

The malware is distributed in several forms:

• Android APK file (boot.apk)
• Statically compiled binaries for the ARM, MIPS, x86-64, and ARC architectures

Support for multiple architectures indicates that the targets include not only Android devices but also home routers and other IoT equipment. As Hunt.io reports, the bot is delivered via ADB shell commands with files written to the /data/local/tmp directory. A list of nine payload variants is optimized for Android TV boxes, media players, Smart TVs, and ARM-based IoT-class hardware with ADB enabled.

The botnet is controlled through an operator panel on the domain xlabslover[.]lol, from which commands are issued to generate junk traffic toward target servers.

Bandwidth Profiling and Monetization Model

One of the notable features of xlabs_v1 is a built-in mechanism for profiling the bandwidth of infected devices. According to Hunt.io, this component opens 8,192 parallel TCP connections to the geographically closest Speedtest server, loads them for 10 seconds, and then sends the measured data transfer rate back to the control panel. Presumably, this allows the operator to group infected devices into pricing tiers for the service’s customers.

An important detail: after sending the bandwidth data (in megabits per second), the bot terminates. The malware does not create any persistence mechanisms — it does not write itself to persistent storage, does not modify initialization scripts, does not create systemd units, and does not register cron jobs. This means that to reuse a device, the operator must once again exploit the ADB exposure. In Hunt.io’s assessment, this approach is intentional: bandwidth profiling is treated by the operator as an infrequent operation to refresh data about the “fleet” of devices.

Suppression of Competing Malware

The botnet includes a competitor-killing subsystem that terminates processes belonging to other malware on the infected device. The goal is to monopolize all of the device’s outgoing bandwidth for its own DDoS attacks.

Related Infrastructure

When analyzing related infrastructure on the host 176.65.139[.]42, a set of tools for Monero mining — VLTRig — was discovered. However, as the researchers note, no direct link has been established between the botnet operators and this mining activity.

Separately, Darktrace reported that a deliberately misconfigured Jenkins instance in its honeypot network became a target for unknown attackers, who deployed a DDoS botnet downloaded from the server 103.177.110[.]202. The presence of gaming-industry-specific attack techniques confirms that the gaming sector remains a priority target for botnet operators.

Threat Level Assessment

According to Hunt.io, xlabs_v1 occupies an intermediate position in the ecosystem of criminal DDoS-for-hire services: it is more advanced than typical Mirai forks created by novice attackers but lags behind leading commercial DDoS platforms in technical sophistication. The operator presumably competes on price and the diversity of attack methods rather than on technical complexity.

Main categories of devices at risk:

• Android TV boxes and media players
• Smart TVs
• Home routers
• ARM-based IoT devices
• Any equipment with ADB accessible from the network

Indicators of Compromise

• IP addresses: 176.65.139[.]44, 176.65.139[.]42, 103.177.110[.]202
• C2 domain: xlabslover[.]lol

Protection Recommendations

1. Disable ADB on all devices where it is not used for development. On Android TV and TV boxes, this option is usually located in the “Developer options” section of the system settings.
2. Block TCP port 5555 at the router or firewall level for incoming connections from the internet. Check that the port is not forwarded via NAT.
3. Scan your network for devices with open port 5555 using the command: nmap -p 5555 --open <network_range>
4. Check IoT devices for suspicious files in the /data/local/tmp directory.
5. Add the IP addresses and domain listed above to blocklists on your network security tools.
6. Game server operators are advised to use specialized DDoS protection services capable of filtering traffic using the RakNet protocol and UDP.

The absence of persistence mechanisms in xlabs_v1 is both a weakness and an indicator of its operational model: every device reboot removes the infection, but re-exploitation via an open ADB service is trivial. The only reliable measure is to completely close port 5555 to external access. Owners of Android TV boxes and IoT devices should check their ADB settings and router configuration today, rather than waiting for signs of compromise.