A new Mirai‑derivative botnet named xlabs_v1 has emerged, hijacking internet‑exposed devices running Android Debug Bridge (ADB) to power large‑scale DDoS attacks, with 21 flood techniques across TCP, UDP and raw protocols. Hunt[.]io discovered the bot on an unsecured Netherlands‑hosted server and described it as a commercially aimed DDoS‑for‑hire operation, targeting game servers and Minecraft servers.
The exposed infrastructure included a six‑file toolkit and about 200 KB of data, with binaries and scripts such as an ARM Mirai variant and ADB infection one‑liners, all accessible without authentication. The operation campaigns against Android TVs, set‑top boxes, smart TVs and other IoT gear shipping with ADB by default, and the global surface is described as more than 4 million devices with TCP/5555 exposed.
Its C2 uses the domain xlabslover[.]lol, resolving to a Dutch IP, while the operator handle Tadashi is embedded in builds; the report notes a development tag aterna indicating earlier branding. according to Hunt[.]io, xlabs_v1 is mid‑tier commercially, designed to keep compromised devices reachable and profitable for the operator. 07 May 2026