xlabs_v1

Operator scans IP ranges for ADB on TCP/5555 prior to infection.

Infection vector is Android Debug Bridge on TCP/5555... any internet-exposed device running ADB is a potential target.

...the botnet engineered to receive an attack command from the operator's panel ('xlabslover[.]lol') and generate a flood of junk traffic on demand...

Execution T1059 T1059.004 Unix Shell Nine payload one-liners pasted into adb shell.

Execution T1106 T1106 Native API execve() for binary update/restart and self-rerun via /proc/self/exe.

Persistence T1205 T1205 Traffic Signaling Bot listens on TCP/26721 for inbound operator re-entry when outbound C2 fails.

The production ARM32 binary was UPX-packed and stripped.

Sensitive strings are stored encrypted in .rodata and decrypted on startup... The same key, the twelve-byte nonce... are reused across all sixteen decryption calls.

...and masks itself as /bin/bash to evade casual inspection.

argv[0] is overwritten with the decrypted /bin/bash, a prctl call to set the kernel comm field updates the kernel's comm field

Once installed, the bot hides infection tags... It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.

Defense Evasion T1070 T1070.004 File Deletion Every payload one-liner runs rm -rf * before installing the bot.

Persistence T1205 T1205 Traffic Signaling Bot listens on TCP/26721 for inbound operator re-entry when outbound C2 fails.

This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation. This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server... and reports the measured data transfer rate back to the panel.

setsid + close(0/1/2) detaches from any TTY and suppresses output.

It first blocks the SIGINT signal to stop the launching process from interrupting it, captures an infection-vector tag from a startup argument, and then zeros that argument so it cannot be seen in standard process listings.

Defense Evasion T1222 T1222.002 Linux Permissions chmod +x arm7 sets the executable bit before launching.

It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.

CPU count, RAM size, hostname collected for C2 registration.

This assessment is based on the presence of a bandwidth-profiling routine that collects victim bandwidth and geolocation. This component opens 8,192 parallel TCP sockets to the geographically nearest Speedtest server... and reports the measured data transfer rate back to the panel.

...targets internet-exposed devices running Android Debug Bridge (ADB)... any gear that comes with the tool enabled by default... could be a potential target.

A new Mirai-derived botnet called xlabs_v1 is hijacking internet-exposed devices running Android Debug Bridge (ADB) ... Delivered through ADB exploits, the ARMv7 bot targets Android TVs, set-top boxes, and IoT hardware.

The bandwidth-profiling routine measures the victim's upstream bandwidth and reports the result to the panel.

Sensitive strings, including the C2 domain xlabslover.lol, the operator handle Tadashi, and the agent tag xlabs_v1, are encrypted with ChaCha20 but easily recovered due to key reuse.

If outbound C2 fails, the bot falls through to a SOCKS-style fallback listener on TCP/26721

Its command-and-control uses a custom TCP protocol, supporting bandwidth probes, updates, self-restart, and attack dispatch.

...falls back to a firewall-punching SOCKS-style listener on TCP/26721... The directory held about 200 KB of data, including ... a SOCKS5 proxy...

If the outbound connection fails, it opens a fallback listener on TCP port 26721, punching through the firewall using five different iptables paths to keep the operator’s re-entry channel open.

Besides an Android APK ('boot.apk'), the malware supports multi-architecture builds... The bot is statically-linked ARMv7... and is delivered through ADB-shell pastes into /data/local/tmp...

Persistence T1205 T1205 Traffic Signaling Bot listens on TCP/26721 for inbound operator re-entry when outbound C2 fails.

For resilience, xlabs_v1 resolves its C2 via OpenNIC...

The C2 domain is resolved first via OpenNIC root nameservers... and only via the system resolver as a fallback.

C2 on TCP/35342, fallback on TCP/26721, distribution on multiple non-standard ports.

The killer subsystem SIGKILLs competing bots; the rival-port-eviction routine targets port 24936.

It includes 21 flood techniques across TCP, UDP, and raw protocols... Its core function is to receive attack commands and launch one of 21 flood variants, many aimed at game servers, including RakNet floods for Minecraft and OpenVPN-shaped UDP traffic to evade filters.

21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP

The botnet is a modified version of the well-known Mirai malware, sold as a DDoS-for-hire service that lets paying customers flood game servers with traffic to take them offline. The botnet focuses on game-server disruption, with a dedicated RakNet flood variant built specifically to attack Minecraft servers...

Service Exhaustion connection-exhaustion socket floods that hold open large connection counts.

xlabs_v1 also features a 'killer' subsystem to terminate competitors so that it can usurp the victim device's full upstream bandwidth to itself and use it to carry out the DDoS attack.

Before establishing C2 communication, xlabs_v1 scans running processes and kills any competing malware it finds, including a hard-coded rival bot at TCP port 24936.