Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
Summary
Hide ▲
Show ▼
The xlabs_v1 Mirai-derived botnet has been exposed as a DDoS tool that abuses Android Debug Bridge (ADB) on internet-facing devices, expanding risk to Android, router, and IoT hardware. It uses 21 flood variants and a killer module to remove competing bots and maximize available bandwidth. The operator appears to run the malware as a DDoS-for-hire service aimed at game servers and Minecraft hosts.
Related Happenings
Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown
Law Enforcement
First: 20.03.2026 10:05
Last: 20.03.2026 10:05
Sources 1
About this happening:
The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...
Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown
Law EnforcementAbout this happening: The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
First: 29.01.2026 16:55
Last: 29.01.2026 16:55
Sources 1
About this happening:
The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
CampaignAbout this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Latest development: 20.03.2026 02:49
The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware Activity
First: 05.01.2026 18:41
Last: 05.01.2026 18:41
Sources 1
About this happening:
The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware ActivityAbout this happening: The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.
Kimwolf botnet expands through residential proxy abuse
Malware Activity
First: 02.01.2026 16:20
Last: 02.01.2026 16:20
Sources 1
About this happening:
The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...
Kimwolf botnet expands through residential proxy abuse
Malware ActivityAbout this happening: The **Kimwolf** **IoT botnet** continues to expand through abuse of **residential proxy services** such as **IPIDEA**, which it uses to relay malicious traffic, scan local network...
Latest development: 29.01.2026 19:15
Google Threat Intelligence Group and partners coordinated court action and technical enforcement to disrupt IPIDEA, a residential proxy network whose SDKs were used to enroll devices into Kimwolf and other botnets. Google said it took down domains used to command infected devices and manage proxy traffic, and Google Play Protect now alerts users, removes apps containing IPIDEA SDKs, and blocks future installation attempts on certified Android devices.
Timeline
-
06.05.2026 23:21 2 articles · 20d ago
Hunt.io exposes xlabs_v1 Mirai-derived ADB DDoS botnet
Initial DisclosureHunt.io publicly identified xlabs_v1 as a Mirai-derived botnet that targets internet-exposed Android Debug Bridge (ADB) services on TCP port 5555, including devices such as Android TV boxes, set-top boxes, smart TVs, routers, and IoT hardware. The malware is presented as a DDoS-for-hire service aimed at game servers and Minecraft hosts, with 21 flood variants, an operator panel at xlabslover[.]lol, and a killer subsystem that removes competing bots to reclaim upstream bandwidth.
Show sources
- Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks — thehackernews.com — 06.05.2026 23:21
- Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks — thehackernews.com — 06.05.2026 23:21