Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks

Researchers at Hunt.io have identified xlabs_v1, a new botnet derived from Mirai malware that exploits unprotected Android Debug Bridge (ADB) ports to compromise IoT devices and Android systems for large-scale DDoS operations.

The botnet targets internet-exposed ADB interfaces, which default to port 5555 and often lack authentication when left accessible on public networks. Once xlabs_v1 gains access to a device, it installs malicious code that enrolls the compromised system into a botnet network. The botnet then coordinates infected devices to launch distributed denial-of-service attacks against targeted infrastructure.

Hunt.io discovered the campaign after finding an exposed command and control directory hosted on a Netherlands-based server. The exposure revealed details about the botnet's operations and victim devices, including Android phones, tablets, and IoT boxes running unpatched or poorly configured ADB services.

Mirai-based botnets remain effective because they leverage the same tactics that made the original Mirai dangerous in 2016. They scan for internet-facing services with weak or default configurations, exploit them to gain initial access, and rapidly propagate across vulnerable devices. xlabs_v1 demonstrates that threat actors continue updating Mirai variants to target emerging device categories and attack vectors.

Organizations and individuals running Android devices or IoT systems should disable ADB access on production devices, restrict ADB to local networks only, and implement strong authentication if remote access is necessary. Device owners should apply security updates promptly and change default credentials on all networked systems. Network administrators should monitor for suspicious outbound connections from IoT devices and block unnecessary external access to debug services through firewall rules.

The discovery underscores how legacy vulnerabilities and misconfigurations persist across millions of devices globally. Even well-known attack patterns continue generating botnets large enough to conduct meaningful