Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
Summary
Hide ▲
Show ▼
The xlabs_v1 Mirai-derived botnet has been exposed as a DDoS tool that abuses Android Debug Bridge (ADB) on internet-facing devices, expanding risk to Android, router, and IoT hardware. It uses 21 flood variants and a killer module to remove competing bots and maximize available bandwidth. The operator appears to run the malware as a DDoS-for-hire service aimed at game servers and Minecraft hosts.
Related Happenings
RustDuck DDoS botnet activity targeting routers and servers
Malware Activity
H score27
First: 30.06.2026 20:45
Last: 30.06.2026 20:45
Sources 1
About this happening:
The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
RustDuck DDoS botnet activity targeting routers and servers
Malware ActivityAbout this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown
Law Enforcement
H score20
First: 20.03.2026 10:05
Last: 20.03.2026 10:05
Sources 1
About this happening:
The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...
Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown
Law EnforcementAbout this happening: The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
H score60
First: 29.01.2026 16:55
Last: 29.01.2026 16:55
Sources 1
About this happening:
The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
CampaignAbout this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Latest development: 20.03.2026 02:49
The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware Activity
H score57
First: 05.01.2026 18:41
Last: 05.01.2026 18:41
Sources 1
About this happening:
The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware ActivityAbout this happening: The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.
Timeline
-
06.05.2026 23:21 2 articles · 2mo ago
Hunt.io exposes xlabs_v1 Mirai-derived ADB DDoS botnet
Initial DisclosureHunt.io publicly identified xlabs_v1 as a Mirai-derived botnet that targets internet-exposed Android Debug Bridge (ADB) services on TCP port 5555, including devices such as Android TV boxes, set-top boxes, smart TVs, routers, and IoT hardware. The malware is presented as a DDoS-for-hire service aimed at game servers and Minecraft hosts, with 21 flood variants, an operator panel at xlabslover[.]lol, and a killer subsystem that removes competing bots to reclaim upstream bandwidth.
Show sources
- Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks — thehackernews.com — 06.05.2026 23:21
- Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks — thehackernews.com — 06.05.2026 23:21