{
  "name": "DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet",
  "slug": "ddos-for-hire-operation-exposed-how-an-operators-debug-build-unraveled-a-commercial-game-server-botnet",
  "description": "An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.",
  "published": "2026-04-29T17:42:01+00:00",
  "created_at": "2026-04-29T17:42:01+00:00",
  "modified_at": "2026-04-30T06:17:45+00:00",
  "created_at_opencti": "2026-04-29T17:42:01+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-29",
    "adb exploitation",
    "bandwidth profiling",
    "ddos-for-hire",
    "game server targeting",
    "iot botnet",
    "minecraft",
    "mirai",
    "mirai-derived",
    "vltrig",
    "xlabs_v1"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "176.65.139.134"
      },
      {
        "id": "",
        "name": "176.65.139.42"
      },
      {
        "id": "",
        "name": "176.65.139.9"
      },
      {
        "id": "",
        "name": "176.65.139.44"
      },
      {
        "id": "",
        "name": "31a60f9e0b5b4f0371f4130a184e27f79cefacb080a6273ccb1c9a908dc6ca9d"
      },
      {
        "id": "",
        "name": "fa965ed784f7ec99e21475205cc177bb71ac7550b4015b4a4b3e232f032dcb91"
      },
      {
        "id": "",
        "name": "8367daa8ce633724157b8edd21d625de5ac56b8c2d983bbb283836162037f3c1"
      },
      {
        "id": "",
        "name": "f962cb443975065b91d4512a42a529a091726e1815be28ced0ebb9dff997931d"
      },
      {
        "id": "",
        "name": "079ae4f813939dd96b961ae288fb7f930649dfebb4884c13af95309a71f986f5"
      },
      {
        "id": "",
        "name": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c"
      }
    ],
    "malware": [
      {
        "id": "96fac276-c05f-4a9b-90a9-9c835458d3de",
        "name": "xlabs_v1",
        "slug": "xlabs_v1"
      },
      {
        "id": "5fdcf97f-0489-477b-a5df-c662e5fc5579",
        "name": "Mirai",
        "slug": "mirai"
      },
      {
        "id": "1b3e3087-e8d7-4683-bcaa-4c39fccc2d25",
        "name": "VLTRig",
        "slug": "vltrig"
      }
    ],
    "intrusion_sets": [
      {
        "id": "54000ea8-9a3f-4fda-a1b4-37704337583d",
        "name": "Tadashi",
        "slug": "tadashi"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "5d890f18-8c7e-47eb-89aa-d2b82a61a7d7",
        "name": "T1008"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "392fef6c-4d5d-4280-bad6-b78751569e7f",
        "name": "T1222.002"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "820fbdf8-7db2-4292-9a60-7eed3567be8d",
        "name": "T1210"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "786b4ce4-6812-4b9b-b9e5-f9f05f7b35b9",
        "name": "T1595.001"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "886bf3fa-4e64-498b-9cba-f64619cfd501",
        "name": "T1090.002"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "2e0c6db7-16a7-4bf6-992e-263474014fce",
        "name": "T1059.004"
      },
      {
        "id": "dea4e00b-6e38-4223-a0f2-8a44e403019b",
        "name": "T1564.003"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "7abb6e8c-d357-49ef-9244-017043055224",
        "name": "T1205"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "7e5fbc10-b908-4ce8-8ba8-9fd70790c6ae",
        "name": "T1562.004"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Hospitality"
      }
    ]
  },
  "external_refs": [
    "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed",
    "https://otx.alienvault.com/pulse/69f25f09e5c3a33611f7cb16"
  ]
}