xlabs_v1 Botnet Targets Android Devices
The discovery of a new botnet, named xlabs_v1, has raised concerns as it targets Minecraft servers by leveraging vulnerabilities in Android devices. This botnet exploits the open Android Debug Bridge (ADB) ports, which are often exposed to the internet, facilitating unauthorized access.
Derived from the infamous Mirai malware, xlabs_v1 functions as a DDoS-for-hire service. This service allows clients to overwhelm game servers with high volumes of traffic, effectively taking them offline.
How xlabs_v1 Exploits Devices
The xlabs_v1 botnet specifically targets devices with ADB enabled on TCP port 5555. This includes a range of internet-connected devices such as Android TVs, set-top boxes, smart TVs, and IoT gadgets. These devices, often shipped with ADB enabled by default, become vulnerable entry points.
Once the botnet gains access through the open ADB port, it stealthily installs its payload into the /data/local/tmp/ directory. This action adds the compromised device to a network used for paid DDoS operations, focusing on disrupting game servers.
Interestingly, the botnet includes a RakNet flood variant designed to attack Minecraft servers specifically. The distribution of the bot binary is cleverly managed through TCP port 25565, which is the standard port for Minecraft servers.
Investigation and Findings
Analysts at Hunt.io uncovered the botnet in April 2026 during routine scans of netblocks known for bulletproof hosting. Their tool, AttackCapture, identified an unprotected directory on a server in the Netherlands, revealing critical details about the botnet’s operations.
Within this directory, researchers found ELF binaries, infection payloads, and more, providing a comprehensive view of the botnet’s infrastructure. By cross-referencing binaries, they could extract the botnet’s control domain, operator identity, and authentication details.
The operator, known under the alias Tadashi, operates from a single netblock in the Netherlands. This netblock hosts the command-and-control server, staging host, and other infrastructure essential for the botnet’s activity.
Technical Mechanisms and Defense
Upon infection, the botnet employs several methods to remain undetected. It blocks signals that could interrupt its processes, modifies its process name to appear as a benign shell process, and runs discreetly in the background.
The bot establishes communication with its control server, xlabslover[.]lol, on TCP port 35342. If this connection fails, it uses fallback mechanisms to maintain access, showcasing its resilience against detection.
Security experts recommend disabling ADB on all internet-facing devices, monitoring for unusual processes, and blocking specific outbound connections to thwart potential infections. Vigilance is crucial in detecting and mitigating the impact of xlabs_v1.
Follow us on Google News, LinkedIn, and X for more updates, and set CSN as your preferred source in Google for real-time cyber news.
