DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet
Essential information
- Published
- 29/04/2026 19:42
- Modified
- 30/04/2026 08:17
- Tags
- 2026-04-29 adb exploitation bandwidth profiling ddos-for-hire game server targeting iot botnet minecraft mirai mirai-derived vltrig xlabs_v1
- Related entities
- 10 observables, 1 intrusion sets (apt), 19 techniques (mitre), 3 malware, 1 others
Description
An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.