A new Mirai-derived botnet called xlabs_v1 is raising concern in the cybersecurity community following the detection of an active campaign targeting IoT devices exposed to the internet. Researchers found that the threat leverages exposed Android Debug Bridge (ADB) services on TCP port 5555 to compromise vulnerable equipment and use it in massive DDoS attacks.
The malware specifically targets:
- Android TV Boxes
- Smart TVs
- Residential routers
- Set-top boxes
- IoT devices with ADB enabled by default
According to researchers at Hunt.io, the botnet operators accidentally left an unauthenticated server exposed, allowing for the analysis of the full attack infrastructure. Binaries for multiple architectures (ARM, MIPS, x86-64, and ARC) were found there, demonstrating that the campaign is designed to infect a wide variety of connected devices.
How the Attack WorksThe botnet scans the internet looking for devices with port 5555 open. Once a vulnerable system is detected:
- It attempts to connect via ADB.
- It downloads the malicious payload.
- It installs the persistent malware.
- The device becomes part of a remotely controlled botnet network.
The threat incorporates 21 variants of flood DDoS across TCP, UDP, and RAW protocols, including specific techniques aimed at gaming servers and Minecraft hosts.
The researchers also observed profiling functions that collect:
- available bandwidth,
- geolocation,
- connection quality,
suggesting a “DDoS-for-hire” model with tiered pricing based on the capacity of each infected bot.
Why Mirai is Still So DangerousThe Mirai malware originally appeared in 2016 and marked a turning point in IoT security. Since the release of its source code, multiple variants have emerged capable of compromising millions of insecure devices worldwide.
One of the biggest ongoing problems is the poor factory configuration of many IoT devices. Academic investigations showed that numerous devices are still deployed with:
- weak credentials,
- unnecessary services enabled,
- exposed ports,
- outdated firmware.
In this case, ADB enabled by default represents a critical attack vector.
Impact for Users and BusinessesWhile many people associate DDoS attacks only with large corporations, any compromised device can:
- consume bandwidth,
- degrade home networks,
- participate in criminal attacks,
- serve as an entry point for additional threats.
Furthermore, in corporate environments, a vulnerable IoT device can become a pivot point within the internal network.
Security RecommendationsTo reduce the risk of infection, specialists recommend:
- Disabling ADB if not necessary.
- Blocking TCP port 5555 from the internet.
- Changing default credentials.
- Updating firmware regularly.
- Segmenting IoT devices on separate networks.
- Monitoring for anomalous outgoing traffic.
- Avoiding devices without manufacturer security support.
The emergence of xlabs_v1 demonstrates again that the IoT attack surface continues to grow and that many devices are still deployed with insecure default settings.
Original Source: