New xlabs_v1 Botnet Targets Minecraft Servers via Exposed Android ADB Ports A recently discovered botnet, xlabs_v1, is exploiting Android devices with exposed Android Debug Bridge (ADB) ports to launch DDoS-for-hire attacks against Minecraft game servers. Based on the Mirai malware, this operation allows paying customers to flood servers with traffic, disrupting gameplay. The botnet targets any internet-facing device running ADB on TCP port 5555, including Android TV boxes, smart TVs, routers, and IoT hardware with ADB enabled by default. Once compromised, the malware drops a binary into `/data/local/tmp/`, executes it, and recruits the device into a botnet fleet. A specialized RakNet flood variant is used to attack Minecraft servers, with the bot binary distributed over TCP port 25565, the default Minecraft server port. Security researchers at Hunt.io uncovered the operation in early April 2026 while monitoring bulletproof-hosting netblocks. An exposed directory on a Netherlands-based server (176.65.139[.]44) hosted by Offshore LC (AS214472) revealed the full toolkit, including ELF binaries, infection payloads, and proxy credentials. Analysis of an unstripped development build exposed the C2 domain (xlabslover[.]lol), the operator’s handle (Tadashi), and an authentication token embedded in every bot variant. The botnet’s infrastructure is confined to a single /24 netblock, housing the C2 server, staging host, and distribution nodes. A Monero cryptomining campaign using VLTRig was also detected on the same netblock, though its connection to xlabs_v1 remains unconfirmed. ### Infection & Evasion Tactics Once installed, the malware employs multiple stealth techniques: - Blocks SIGINT signals to prevent interruption. - Erases startup arguments to hide its origin. - Decrypts strings (ChaCha20) containing C2 details. - Masquerades as `/bin/bash` to evade process monitoring. - Daemonizes itself, closing I/O handles to run silently. - Kills competing malware, including a rival bot on TCP port 24936. - Opens a fallback listener (TCP 26721) if C2 communication fails. - Profiles bandwidth by testing upload speeds via Speedtest servers, allowing tiered pricing for DDoS customers. Defenders are tracking indicators of compromise, including outbound connections to xlabslover[.]lol (TCP 35342) and pool[.]hashvault[.]pro, as well as suspicious files in `/data/local/tmp/arm7`. The campaign highlights the risks of unsecured ADB ports on internet-facing devices.