Skip to content

xlabs_v1 DDoS-for-hire IoT botnet

Hunt.io reported that an exposed debug build and open directory revealed xlabs_v1, a Mirai-derived IoT botnet sold as a DDoS-for-hire service aimed at game servers and Minecraft hosts.

Why it matters

  • The useful defender lesson is not only the exposed staging server; it is the commercial botnet workflow around internet-exposed Android Debug Bridge (ADB) on TCP/5555.
  • The bot profiles compromised devices with Speedtest-style bandwidth measurement, then turns upstream capacity into a pricing tier for DDoS customers.
  • The operation shows game-server-specific flooding rather than generic volumetric noise, including RakNet and OpenVPN-shaped UDP traffic intended to bypass common protections.

Reported chain

  • Hunt.io said its AttackCapture tooling found an unauthenticated directory on 176.65[.]139.44 in early April 2026.
  • The exposed files included:
  • arm7, a UPX-packed ARM32 production bot.
  • debug.o2, an unstripped x86-64 development build.
  • payloads.txt, nine ADB-oriented infection one-liners.
  • proxies.txt, a SOCKS5 proxy entry.
  • targets.txt, a placeholder target file.
  • Comparing the production and debug builds let Hunt.io reconstruct the string table, command protocol, operator branding, and flood registry.

Bot behavior

  • Initial access targets devices with ADB exposed on TCP/5555, with payloads staged through adb shell into /data/local/tmp.
  • Targetable device classes include Android TV boxes, set-top boxes, smart TVs, residential routers, and other IoT-grade hardware where ADB is reachable from the internet.
  • Hunt.io reported multi-architecture builds covering ARM, MIPS, x86-64, ARC, and Android APK targets.
  • The bot uses 21 flood variants across TCP, UDP, and raw protocols; examples include Minecraft / RakNet-oriented traffic and OpenVPN-shaped UDP.
  • A bandwidth-profiling routine opens 8,192 parallel TCP sockets to a nearby Speedtest server, measures upstream capacity, reports Mbps to the C2, and exits.
  • The production ARM build is UPX-packed, masquerades as /bin/bash, daemonizes, clears the captured infection-vector argument from process listings, and ignores SIGCHLD.
  • If outbound C2 fails, the bot attempts multiple iptables variants to permit inbound TCP/26721 and starts a SOCKS-like fallback listener for operator re-entry.

Infrastructure and identifiers

  • Hunt.io attributed the public operator handle Tadashi to the bot's decrypted strings, but cautioned that a handle alone does not establish a real-world identity or nationality.
  • Decrypted strings included:
  • Bot brand / tag: xlabs_v1
  • C2 domain: xlabslover[.]lol
  • C2 address reported by Hunt.io: 176.65.139[.]134
  • Staging / open-directory server: 176.65[.]139.44
  • Fallback listener port: TCP/26721
  • Hunt.io said the operation was consolidated in an Offshore LC (AS214472) Netherlands-hosted /24, alongside C2, distribution, staging, and co-located Monero cryptojacking infrastructure.

Defender takeaways

  • Treat internet-exposed ADB as an active botnet-infection path, not just a misconfiguration. Remove public exposure, enforce management-plane network controls, and rebuild exposed devices when compromise is plausible.
  • Hunt for outbound C2 to xlabslover[.]lol and related 176.65.139[.]0/24 infrastructure, but avoid relying only on static indicators because the bot has fallback resolution and inbound re-entry behavior.
  • Inspect IoT / Android-derived hosts for:
  • unexpected executables in /data/local/tmp;
  • long-running processes masquerading as /bin/bash from unusual paths;
  • new firewall rules opening TCP/26721;
  • spikes of thousands of outbound connections to Speedtest infrastructure;
  • game-server flood patterns such as RakNet-heavy or OpenVPN-shaped UDP traffic from non-VPN devices.
  • For hosting and game-server operators, correlate DDoS events with source populations exposing TCP/5555 and with traffic shaped like game or VPN protocols rather than treating every event as a generic UDP flood.

Sources

  • Hunt.io, "xlabs_v1 DDoS-for-Hire IoT Botnet Exposed: One Operator Error. An Entire Operation Revealed" — https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed

Tags