New xlabs_v1 Botnet Targets Minecraft Servers via Exposed Android ADB Ports A recently discovered botnet, xlabs_v1, is exploiting Android devices with exposed Android Debug Bridge (ADB) ports to launch DDoS-for-hire attacks against Minecraft game servers. Based on the Mirai malware, this operation allows paying customers to flood servers with traffic, disrupting gameplay. The botnet targets any internet-facing device running ADB on TCP port 5555, including Android TV boxes, smart TVs, routers, and IoT hardware with ADB enabled by default. Once compromised, the malware drops a binary into `/data/local/tmp/`, executes it, and recruits the device into a botnet fleet. A specialized RakNet flood variant is used to attack Minecraft servers, with the bot binary distributed over TCP port 25565, the default Minecraft server port. Security researchers at Hunt.io uncovered the operation in early April 2026 while monitoring bulletproof-hosting netblocks. An exposed directory on a Netherlands-based server (176.65.139[.]44) hosted by Offshore LC (AS214472) revealed the full toolkit, including ELF binaries, infection payloads, and proxy credentials. Analysis of an unstripped development build exposed the C2 domain (xlabslover[.]lol), the operator’s handle (Tadashi), and an authentication token embedded in every bot variant. The botnet’s infrastructure is confined to a single /24 netblock, housing the C2 server, staging host, and distribution nodes. A Monero cryptomining campaign using VLTRig was also detected on the same netblock, though its connection to xlabs_v1 remains unconfirmed. ### Infection & Evasion Tactics Once installed, the malware employs multiple stealth techniques: - Blocks SIGINT signals to prevent interruption. - Erases startup arguments to hide its origin. - Decrypts strings (ChaCha20) containing C2 details. - Masquerades as `/bin/bash` to evade process monitoring. - Daemonizes itself, closing I/O handles to run silently. - Kills competing malware, including a rival bot on TCP port 24936. - Opens a fallback listener (TCP 26721) if C2 communication fails. - Profiles bandwidth by testing upload speeds via Speedtest servers, allowing tiered pricing for DDoS customers. Defenders are tracking indicators of compromise, including outbound connections to xlabslover[.]lol (TCP 35342) and pool[.]hashvault[.]pro, as well as suspicious files in `/data/local/tmp/arm7`. The campaign highlights the risks of unsecured ADB ports on internet-facing devices.

Weedhack MaaS Operation Targets Minecraft Players with Sophisticated Malware Since at least January 2026, Weedhack a Malware-as-a-Service (MaaS) operation has been actively targeting Minecraft players with a low-cost, subscription-based toolkit designed for credential theft, cryptocurrency wallet extraction, and account hijacking. Marketed through SEO poisoning, YouTube promotions, and fake mod websites, the service lowers the barrier for novice threat actors, increasing risks for gaming communities, particularly younger users. The malware primarily spreads via trojanized Java Archive (JAR) files disguised as popular Minecraft clients and mods, including Meteor Client, Aristois, LiquidBounce, and Impact Client. Upon execution, it hides under javaw.exe, decrypts Ethereum JSON-RPC endpoints, and uses smart contracts to dynamically retrieve command-and-control (C2) servers, complicating takedown efforts. Researchers identified 32 distinct JSON-RPC endpoints, over 3,820 malicious JAR samples, and 240+ distribution URLs linked to the campaign. Weedhack employs multi-stage attacks, using JNIC obfuscation to evade reverse engineering. Initial reconnaissance gathers system metadata, installed software, and attempts to bypass Windows Defender. Subsequent payloads steal browser credentials, Discord tokens, Steam and Telegram logins, and Minecraft session data, enabling account takeovers without password disclosure. The service offers tiered subscriptions, with a free version supporting credential theft, wallet targeting, and screenshot capture. Premium tiers (starting at ~$5/month) add remote-access features like keylogging, screen sharing, file management, reverse shells, and webcam monitoring. A customer dashboard provides malware builders, tutorials, and leaderboards, gamifying infections reportedly amassing over 116,000 hits. Researchers found evidence of misuse for harassment and cyberbullying, including the sharing of webcam footage in criminal forums. Many customers appear to be teenagers or young adults, exacerbating risks in youth-centered gaming communities. The operation’s professional-looking distribution sites and decentralized infrastructure further amplify its reach. Defenders are advised to treat Java-based gaming software as high-risk vectors, as Weedhack’s obfuscation and blockchain-driven C2 evade traditional signature-based detection. Mitigation strategies include sandboxing mod files, enforcing least-privilege Java policies, and blocking known malicious domains and JSON-RPC endpoints.