216.73.216.86

DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet

· Published 29/04/2026 19:42 · Modified 30/04/2026 08:17

Export JSON

Essential information

Published
29/04/2026 19:42
Modified
30/04/2026 08:17
Tags
2026-04-29 adb exploitation bandwidth profiling ddos-for-hire game server targeting iot botnet minecraft mirai mirai-derived vltrig xlabs_v1
Related entities
10 observables, 1 intrusion sets (apt), 19 techniques (mitre), 3 malware, 1 others

Description

An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of , a operated by an actor using the handle Tadashi. The operation provides services specifically targeting game servers and hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.

External references