ACCORDING to Hunt[.]io, researchers have exposed a Mirai-derived botnet that self-identifies as xlabs_v1 and targets devices with an exposed Android Debug Bridge, enlisting them into a DDoS-for-hire network. The malware hunts for Android devices running ADB on TCP port 5555 and is delivered via ADB-shell pastes into /data/local/tmp, with an APK named boot[.]apk and multi-architecture builds covering ARM, MIPS, x86-64 and ARC to reach IoT hardware and residential routers.
It supports 21 flood variants across TCP, UDP and raw protocols, including RakNet and OpenVPN-shaped UDP, and can generate a flood directed at game servers, Minecraft hosts and other targets. The operator’s panel coordinates attacks using a nine-variant payload list and can adapt to bandwidth-based pricing tiers by probing victim bandwidth and geolocation through a dedicated routine. There is also a “killer” subsystem to terminate competitors so xlabs_v1 can capture upstream bandwidth for its attacks.
The threat actor behind the operation is claimed to go by the moniker “Tadashi,” though advocacy on the broader infrastructure is still under analysis.