xlabs_v1 Botnet Hijacks Android TVs via ADB for DDoS Attacks

Security researchers at Hunt.io have exposed a new Mirai variant called xlabs_v1 that targets Android TV boxes, smart TVs, and IoT devices through exposed Android Debug Bridge (ADB) services. The botnet operates as a DDoS-for-hire platform, primarily targeting game servers and Minecraft hosts.

The discovery came after researchers found an exposed directory on a Netherlands-hosted server—no authentication required—revealing the malware's configuration and capabilities.

How xlabs_v1 Spreads

The botnet hunts for devices running ADB on TCP port 5555, a debugging interface that should never be internet-accessible but frequently is. Consumer devices often ship with ADB enabled by default, and users rarely disable it.

Once xlabs_v1 finds an exposed target, it delivers a malicious APK via ADB shell commands into /data/local/tmp. The malware supports multiple architectures—ARM, MIPS, x86-64, and ARC—indicating it's designed for both Android devices and residential routers. This continues a trend of Android-focused threats we've tracked, including the recent TrickMo banking trojan using blockchain for C2.

Target devices include:

• Android TV boxes and streaming sticks
• Smart TVs with Android OS
• Set-top boxes from ISPs
• IoT hardware with Android underpinnings
• Residential routers with compatible chipsets

21 DDoS Attack Variants

The botnet comes armed with 21 flood variants spanning TCP, UDP, and raw protocols. Notably, it includes RakNet and OpenVPN-shaped UDP floods—attack patterns designed to bypass basic DDoS mitigation that relies on protocol fingerprinting.

This isn't a general-purpose botnet. The operator, who goes by "Tadashi" based on strings embedded in the malware, appears focused on the gaming market. DDoS attacks against game servers are lucrative: disgruntled players, rival server operators, and streamers all pay for downtime.

Hunt.io found evidence of bandwidth-tiered pricing, suggesting a mature service model rather than ad-hoc attacks.

Infrastructure Details

The investigation revealed interconnected infrastructure:

Component	Details
C2 Server	xlabslover[.]lol
Primary Host	176.65.139[.]44 (Netherlands)
Related IP	176.65.139[.]42 (VLTRig Monero miner)
Secondary Source	103.177.110[.]202

The adjacent Monero-mining toolkit suggests the operator diversifies revenue streams—using the same compromised devices for cryptomining when DDoS services aren't in demand.

Limited Persistence

Interestingly, xlabs_v1 doesn't establish deep persistence. It doesn't write itself to disk persistence locations, modify init scripts, or create systemd units. A reboot clears the infection—though re-infection follows quickly if ADB remains exposed.

This design choice makes sense for a DDoS rental service. The operator doesn't need long-term access to specific devices; they need a rotating pool of attack capacity. Fresh infections replace rebooted victims.

Protect Your Devices

If you run Android-based IoT devices, check whether ADB is exposed:

1. Disable ADB on production devices — There's no legitimate reason for debugging to be internet-accessible
2. Block port 5555 at your firewall — Even for internal networks, restrict ADB to management VLANs
3. Monitor outbound traffic — Unusual bandwidth spikes or connections to unfamiliar domains warrant investigation
4. Segment IoT devices — Keep smart TVs and similar hardware off your primary network

For organizations managing IoT deployments, our malware defense guide covers broader protection strategies.

The Mirai Legacy Continues

Nearly a decade after the original Mirai source code leaked, variants keep appearing. The framework's simplicity—scan for weak services, infect, await commands—remains effective against the growing sprawl of poorly secured IoT devices.

xlabs_v1 represents the commercialization of that capability. Anyone with cryptocurrency and a grudge can rent time on a botnet built from hijacked consumer electronics. For defenders tracking IoT threats, stay updated via our hacking news coverage.

Hunt.io's full analysis includes additional IOCs for detection teams.