The Tadashi Files: Inside the xlabs_v1 Botnet Targeting 4 Million Android Devices
Ddos 
The complete six-file operational toolkit including arm7 (Mirai-tagged), debug.o2, payloads files, proxies, and targets.
Security researchers at Hunt Intelligence have dismantled the operational blueprint of a new Mirai-derived botnet dubbed xlabs_v1. The discovery occurred in early April 2026 when an open directory intelligence tool flagged an exposed server in the Netherlands.
The operator, self-identifying as Tadashi, left their entire toolkit—including binaries, payloads, and proxy credentials—publicly accessible on an unauthenticated web interface. This massive lapse in basic security tradecraft allowed analysts to index the operation before the threat actor even realized they were being watched.
Unlike some opportunistic malware, xlabs_v1 is a “focused commercial product” designed for the DDoS-for-hire market. The bot features 21 distinct flood variants across TCP, UDP, and raw protocols.
The attack repertoire specifically targets game servers:
- RakNet Floods: Tailored to disrupt Minecraft servers.
- OpenVPN-Shaped UDP: Packets designed to mimic VPN traffic and bypass specialized filters.
- L7 Evasion: Using HTTP request templates to defeat application-layer protections.
To maximize profit, the bot includes a sophisticated bandwidth profiling routine. It opens 8,192 parallel sockets to Speedtest servers to measure a victim’s upstream capacity, allowing Tadashi to “price-tier the fleet for DDoS-for-hire customers” based on how much power each compromised device can deliver.
The primary target for xlabs_v1 is any internet-exposed hardware running the Android Debug Bridge (ADB) on TCP/5555. This includes:
- Android TV boxes and smart TVs.
- Residential routers and set-top boxes.
- IoT-grade hardware shipping with ADB enabled by default.
Hunt Intelligence researchers identified over 4 million internet-exposed hosts with port 5555 open, representing a massive potential attack surface for this infection chain.
The bot employs several techniques to evade casual detection. Once it lands on a device, it renames its own process to “/bin/bash” to blend into legitimate system shells. It also features a “killer” subsystem that hunts for and terminates competing malware to ensure xlabs_v1 has exclusive access to the host’s bandwidth.
One of the most striking findings was a hard-coded development banner revealed through string decryption. As the report notes: “The decrypted development banner… reveals an active rivalry with a competing fork branded xlab 2.”
The entire operation—including command-and-control (C2), distribution, and even co-located Monero cryptojacking infrastructure—was consolidated within a single bulletproof hosting netblock in the Netherlands.
While the use of ChaCha20 encryption for sensitive strings shows some technical effort, the operator’s tradecraft was ultimately deemed “mid-tier”. The decision to host a non-stripped development build on a public-facing server provided researchers with a “complete picture” of the source code that would have otherwise remained hidden.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
