In a throwback to the original 2016 Mirai attacks, a new botnet dubbed xlabs_v1 has emerged with a singular, aggressive focus: knocking Minecraft servers offline. Identified in early April 2026 by researchers at Hunt.io, this botnet is a modified version of the Mirai malware, sold as a “DDoS-for-hire” service to help paying customers disrupt rival game communities.
Unlike typical botnets that target weak Telnet passwords, xlabs_v1 hunts for Android Debug Bridge (ADB) ports left exposed to the internet. By turning smart TVs and set-top boxes into “zombies,” it creates a massive fleet of devices capable of launching specialized high-volume attacks.
The Target: Port 5555 and the ADB Gateway
The botnet scans the internet for devices running ADB on TCP port 5555. This port is often left open by default on cheaper Android TV boxes, smart TVs, and residential routers.
The Infection Chain:
- Entry: The attacker connects to the open ADB port—no password required.
- Payload: A bot binary (often named
arm7) is silently dropped into the/data/local/tmp/directory. - Masquerade: Once executed, the bot changes its process name to
/bin/bashto hide in plain sight from system administrators. - Enlistment: The device connects to the C2 server at
xlabslover[.]loland awaits attack commands.
Weaponized for Gaming: The RakNet Flood
What makes xlabs_v1 particularly dangerous for gamers is its specialized toolkit. It includes a dedicated RakNet flood variant—a protocol used extensively by Minecraft (specifically the Bedrock edition) and other online games.
By mimicking legitimate game traffic, the botnet can bypass many standard “dumb” DDoS filters. In a cheeky nod to its targets, the distribution infrastructure even hosts the malware on TCP port 25565, the default port for Minecraft servers worldwide.
Inside the Operator’s Toolkit
Thanks to a major operational security (OpSec) error, researchers were able to access the operator’s unauthenticated staging server. The operator, who goes by the handle Tadashi, left behind a complete toolkit:
- Anti-Rival Routine: The bot proactively kills competing malware on infected devices to ensure it has sole control over the hardware’s resources.
- Bandwidth Profiling: Upon infection, the bot runs a Speedtest to measure the device’s upload speed. This allows the operator to “tier” their service, charging more for high-bandwidth bots.
- Persistence: If the primary connection to the C2 server fails, the bot uses
iptablesto punch a hole through the device’s firewall, creating a permanent back-channel for the attacker.
How to Defend Your Devices
As of May 2026, the botnet is actively expanding. To ensure your IoT hardware isn’t used to take down your favorite game server, follow these steps:
- Disable ADB: Check your Android TV or IoT device settings. If “Developer Options” or “ADB Debugging” is on, turn it off unless you are actively using it.
- Firewall Port 5555: Ensure your home router is not forwarding port 5555 to any internal devices.
- Check for “Bash” without a Shell: For technical users, use a process monitor to look for
/bin/bashrunning without a controlling terminal—this is a classic sign of xlabs_v1. - Monitor Outbound Traffic: Block any connections to the domain
xlabslover[.]lolor the cryptomining poolpool[.]hashvault[.]pro.
