**Hunt.io** discovered the botnet after finding an exposed directory on a server hosted in the Netherlands (IP address 176.65.139[.]44) that required no authentication. ### DDoS Capabilities The **xlabs_v1** malware boasts an impressive arsenal of "21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP," according to Hunt.io. These techniques are designed to bypass common DDoS protection measures, making it particularly effective against game servers and **Minecraft** hosts. ### Targeting Android Devices via ADB A key feature of **xlabs_v1** is its focus on Android devices with exposed ADB services on TCP port 5555. This means devices like Android TV boxes, set-top boxes, and smart TVs that have ADB enabled by default are vulnerable. The malware includes an Android APK ("boot.apk") and supports various architectures (ARM, MIPS, x86-64, and ARC), indicating its ability to target residential routers and IoT devices as well. ### DDoS-for-Hire Operation The botnet is designed to receive attack commands from a control panel (xlabslover[.]lol) and generate a flood of malicious traffic. Hunt.io notes that the bot is statically-linked ARMv7, runs on stripped Android firmwares, and is delivered through ADB-shell pastes into /data/local/tmp. ### Bandwidth Tiering and Pricing Evidence suggests that the DDoS-for-hire service uses bandwidth-tiered pricing. The botnet includes a bandwidth-profiling routine that collects victim bandwidth and geolocation data. It opens 8,192 parallel TCP sockets to the nearest Speedtest server, saturates them for 10 seconds, and reports the data transfer rate back to the panel. This information is then used to assign each compromised device to a pricing tier for customers. ### Lack of Persistence Interestingly, the botnet lacks persistence mechanisms. It doesn't write itself to disk, modify init scripts, create systemd units, or register cron jobs. This suggests that the operator views bandwidth probing as an infrequent fleet-tier-update operation, requiring re-infection through the ADB exploitation channel. ### Competitor Elimination **xlabs_v1** also includes a "killer" subsystem designed to terminate competing botnets, allowing it to monopolize the victim's upstream bandwidth for its own DDoS attacks. The threat actor behind the malware is known as "Tadashi," based on an encrypted string found in every build of the bot. ### Potential Link to Monero Mining Further analysis of the infrastructure revealed a **VLTRig** Monero-mining toolkit on a co-located host (176.65.139[.]42), although it's unclear if the same actor is responsible for both activities. ### Threat Level Hunt.io assesses **xlabs_v1** as a mid-tier threat, more sophisticated than basic **Mirai** forks but less advanced than top-tier DDoS-for-hire operations. The operator focuses on competitive pricing and attack variety, targeting consumer IoT devices, residential routers, and small game-server operators. ### Jenkins Honeypot Attack In related news, **Darktrace** reported that a misconfigured **Jenkins** instance in its honeypot network was targeted by unknown actors who deployed a DDoS botnet downloaded from a remote server (103.177.110[.]202), while attempting to evade detection. This incident underscores the ongoing threat to the gaming industry and the importance of implementing appropriate mitigations.