A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use.

A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devices running Android Debug Bridge (ADB) and using them for large‑scale DDoS attacks. Hunt.io discovered the bot on an unsecured server, it includes 21 flood techniques across TCP, UDP, and raw protocols, allowing it to bypass basic protections. It appears to be sold as a DDoS‑for‑hire service, especially for targeting game and Minecraft servers.

During routine monitoring, researchers spotted an exposed directory on a Netherlands‑hosted server (176.65[.]139.44) used for bulletproof hosting. The operator had left their entire toolkit publicly accessible over TCP/80 with no authentication, allowing investigators to index everything before the attacker realized it was exposed.

Open access to the server revealed a six‑file toolkit instead of a login page, exposing binaries and text files with no authentication. Two files were auto‑tagged as malicious: arm7 (Mirai) and payloads.txt (exploit content), suggesting the operator was using analyst‑grade tools on an unsecured host. The directory held about 200 KB of data, including the packed ARM bot, an unstripped x86‑64 debug build, ADB infection one‑liners, a SOCKS5 proxy, and a placeholder targets file. The debug build’s intact symbols made reconstructing the bot’s behavior straightforward.

“The xlabs_v1 codebase reads as a focused commercial product rather than an opportunistic Mirai derivative. Its twenty-one flood variants, ChaCha20 string protection, OpenNIC-aware DNS resolution, and Speedtest-driven bandwidth profiling are subsystems aimed at a single outcome: keeping a fleet of compromised IoT devices reachable, accountable, and profitable for the operator. Everything else in the binary serves that goal or protects it.” reads the report published by Hunt.io.

xlabs_v1 botnet is built entirely for commercial DDoS‑for‑hire operations, with no added features like credential theft that could increase detection risk. Its core function is to receive attack commands and launch one of 21 flood variants, many aimed at game servers, including RakNet floods for Minecraft and OpenVPN‑shaped UDP traffic to evade filters. Delivered through ADB exploits, the ARMv7 bot targets Android TVs, set‑top boxes, and IoT hardware, part of a global surface of more than 4 million devices with TCP/5555 exposed.

“nfection vector is Android Debug Bridge on TCP/5555, with multi-architecture builds covering ARM, MIPS, x86-64, ARC, and Android APK, meaning any internet-exposed device running ADB is a potential target: Android TV boxes, set-top boxes, smart TVs, residential routers, and any IoT-grade hardware shipping with ADB enabled by default.” continutes the report.

Once installed, the bot hides infection tags, profiles each device’s bandwidth by opening 8,192 TCP sockets, and reports Mbps to its panel so the operator can assign price tiers. It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.

For resilience, xlabs_v1 resolves its C2 via OpenNIC, falls back to a firewall‑punching SOCKS‑style listener on TCP/26721, and masks itself as /bin/bash to evade casual inspection. Sensitive strings, including the C2 domain xlabslover.lol, the operator handle Tadashi, and the agent tag xlabs_v1, are encrypted with ChaCha20 but easily recovered due to key reuse.

Its command‑and‑control uses a custom TCP protocol, supporting bandwidth probes, updates, self‑restart, and attack dispatch. Together, these techniques reveal a sophisticated, commercially motivated DDoS botnet engineered for persistence, evasion, and profit.

Analysis of the xlabs_v1 botnet’s infrastructure begins with its C2 domain, xlabslover[.]lol, which resolves to a single IP in the Netherlands hosted by Offshore LC. The domain uses Ultahost nameservers, a provider often linked to bulletproof hosting, and shows no prior malware detections, suggesting a recently deployed C2.

Pivoting from the domain to its IP (176.65.139[.]134) reveals SSH as the only open port, plus past honeypot activity involving HTTP and .env‑file scanning. SSL history shows unusual self‑signed certificates, including one with the CN “Godisgood”, previously used on another IP in Germany, indicating the same operator managing multiple servers.

Three hosts within the 176.65.139.0/24 netblock appear tied to the botnet: .44 (staging), .42 (distribution), and .9 (additional distribution). Hunt.io captured open directories on these systems containing Mirai‑tagged binaries, multi‑architecture payloads, and ADB exploitation scripts.

Historical scans confirmed Mirai C2 activity in late March and early April 2026, consistent with the botnet’s active deployment period and revealing a consolidated, bulletproof infrastructure supporting xlabs_v1.

The operator behind the botnet uses the handle Tadashi, embedded in each build, while the botnet brand xlabs_v1 appears in every C2 registration, hinting at future versions. A development tag, aterna, shows earlier branding before release. OSINT searches linking “Tadashi,” “xlabs,” and “xlabslover” may reveal the operator’s DDoS‑for‑hire storefront. A decrypted banner also exposes hostility toward a rival fork, xlab 2, suggesting a code split or underground feud. Nearby infrastructure in the same netblock has hosted cryptojacking tools, though overlap with the xlabs operation remains unconfirmed.

“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork (which would lack the ChaCha20 layer, the multi-architecture binary set, the bandwidth profiling, and the registered-attack diversity), but less sophisticated than the top tier of commercial DDoS-for-hire operations (which would use TLS on the C2 channel, would not ship a debug build to production paths, would rotate cryptographic material across builds, and would not ship a hard-coded competitor-rivalry banner).” concludes the report. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target. Treat it accordingly.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, xlabs_v1 botnet)

New research has uncovered a Mirai-derived botnet called xlabs_v1 that turns Android devices with exposed Android Debug Bridge (ADB) into a distributed attack platform for knocking Minecraft servers and other game hosts offline. By abusing TCP port 5555 on poorly secured Android-based hardware, the operators are quietly building a rentable DDoS-for-hire service aimed at the gaming ecosystem. […]

The post Botnet Hijacks ADB-Exposed Android Devices to Target Minecraft Servers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post The Tadashi Files: Inside the xlabs_v1 Botnet Targeting 4 Million Android Devices appeared first on Daily CyberSecurity.

The post 44,000 IPs Hijacked: cPanel’s 9.8 CVSS Authentication Bypass Triggers Global Ransomware Surge appeared first on Daily CyberSecurity.

A new campaign shows misconfigured Jenkins servers abused to deploy a DDoS botnet targeting gaming systems, with Valve Corporation infrastructure in focus.

The post New DDoS Botnet Exploits Jenkins to Target Gaming Servers appeared first on Daily CyberSecurity.

The post Command Injection Vulnerability (CVE-2025-29635) Exploited in the Wild appeared first on Daily CyberSecurity.

The post Nexcorium Botnet Turns Unpatched DVRs into DDoS Foot Soldiers appeared first on Daily CyberSecurity.

The post RondoDox Botnet Hijacks Everything from IoT to Fortnite appeared first on Daily CyberSecurity.

The post New “PowMix” Botnet Preys on Czech Workforce with Lure of Compliance appeared first on Daily CyberSecurity.

A new iteration of the notorious Mirai botnet, dubbed Nexcorium, has emerged in the wild, aggressively targeting internet-connected video recording devices.

According to recent threat research published by Fortinet’s FortiGuard Labs, threat actors are exploiting a known command injection vulnerability to hijack TBK DVR systems and construct a large-scale Distributed Denial-of-Service (DDoS) botnet.

Fortinet researchers report that the campaign specifically targets TBK DVR-4104 and DVR-4216 models by exploiting CVE-2024-3721. This OS command injection flaw allows attackers to deliver a downloader script by manipulating arguments within the device system.

During the exploitation phase, network traffic reveals a custom HTTP header reading “X-Hacked-By: Nexus Team – Exploited By Erratic,” leading FortiGuard Labs to attribute the campaign to a relatively unknown threat actor identified as the “Nexus Team“.

Once the downloader script executes, it fetches multi-architecture payloads supporting ARM, MIPS, and x86-64 environments, subsequently displaying a console message stating “nexuscorp has taken control”.

Technical Capabilities and Infection Mechanisms

Fortinet’s analysis reveals that Nexcorium shares fundamental architecture with traditional Mirai variants, utilizing XOR-encoded configurations and modular components. The technical operation relies on several core mechanisms:

• Modular Architecture: The malware deploys standard Mirai features, including a watchdog module to distinguish sub-processes, a scanner for network propagation, and an attacker module for DDoS execution.
• Legacy Exploit Integration: To maximize its infection radius, Nexcorium incorporates the older CVE-2017-17215 vulnerability, which targets Huawei router devices.
• Aggressive Brute-Forcing: The malware launches Telnet-based brute-force attacks against other networked hardware using a hardcoded list of common and default credentials.
• Self-Preservation: Nexcorium verifies its own integrity using FNV-1a hashing algorithms; if the binary is altered or unreadable, it dynamically duplicates itself under a new filename to evade detection.

To maintain long-term access to compromised systems, the malware establishes persistence through four distinct mechanisms rather than relying on a single configuration file. The botnet secures its foothold by:

• Modifying /etc/inittab to ensure automatic process restarts if the malware is terminated.
• Updating /etc/rc.local to guarantee execution during the device’s system startup sequence.
• Creating a dedicated systemd service named persist.service for persistent background operation.
• Planting scheduled tasks via crontab for reliable post-reboot execution.

Following this extensive setup, Fortinet notes that Nexcorium deletes its original binary from the execution path to thwart security analysts.

The primary objective of the Nexus Team campaign is launching devastating DDoS attacks. Based on FortiGuard Labs’ decryption of the malware’s configuration table, Nexcorium communicates with a centralized command-and-control (C2) server to receive attack directives.

Instead of a narrow attack scope, the botnet is equipped with a versatile arsenal of flood techniques. These include standard UDP, TCP ACK, TCP SYN, SMTP, and TCP PSH floods, alongside specialized attack vectors like VSE query floods and UDP blast attacks.

The discovery of Nexcorium highlights the continuous weaponization of legacy IoT devices. Security experts strongly advise organizations to immediately patch CVE-2024-3721, replace default manufacturer credentials, and isolate critical infrastructure from vulnerable IoT endpoints using network segmentation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Nexcorium-Associated Mirai Variant Uses TBK DVR Exploit to Scale Botnet Operations appeared first on Cyber Security News.

A Mirai variant called Nexcorium exploits a flaw in TBK DVRs to infect devices and use them in DDoS attacks, along with outdated TP-Link routers.

Fortinet researchers found that threat actors are exploiting vulnerabilities in TBK DVRs and end-of-life TP-Link routers to spread a Mirai variant called Nexcorium.

“IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.” reads the report published by Fortinet. “FortiGuard Labs has analyzed a recent campaign exploiting CVE-2024-3721 in TBK DVR devices to deliver a multi-architecture Mirai variant called Nexcorium.”

Attackers exploit CVE-2024-3721, a command injection flaw, to compromise devices and turn them into bots for DDoS attacks, rapidly expanding the botnet by targeting systems that are often unpatched or no longer supported.

Attackers exploit CVE-2024-3721 to deliver a downloader script by manipulating specific request arguments. The traffic includes a custom “X-Hacked-By” header referencing “Nexus Team,” suggesting a possible attribution, though the group remains largely unknown. The script, named “dvr,” downloads malware samples labeled “nexuscorp” for multiple Linux architectures such as ARM, MIPS, and x86-64.

It then sets full execution permissions and runs the payload, enabling infection across diverse devices and expanding the botnet footprint.

The analysis of “nexuscorp.x86” sample reveals Nexcorium, a Mirai-like malware that displays a takeover message upon execution. It uses XOR decoding to extract configuration data, including C2 details, attack commands, and persistence scripts. Like other Mirai variants, it features watchdog, scanner, and attack modules. It performs integrity checks and can replicate itself if tampering is detected.

“Nexcorium has a similar architecture to the Mirai variant, including XOR-encoded configuration table initialization, watchdog module, and DDoS attack module.” continues the report. “The malware first performs XOR decoding to extract its embedded configuration, which includes C2 server domain and port, persistence-related shell commands, a hard-coded brute-force wordlist, DDoS attack commands retrieved from the C2 server, and embedded exploit code.”

Nexcorium also embeds exploits such as CVE-2017-17215 targeting Huawei devices and includes a large list of default credentials to brute-force Telnet access. Once inside a system, it verifies the device architecture, executes commands, and establishes persistence by copying itself into system directories.

Nexcorium ensures persistence through multiple methods: it modifies /etc/inittab to restart automatically, updates /etc/rc.local for startup execution, creates a systemd service, and adds a cron job. After setup, it deletes its original binary to evade detection. The malware supports various DDoS attacks, including UDP and TCP floods, and connects to a C2 server to receive commands. It can also stop attacks or terminate itself when instructed.

“The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems.” concludes the report. “Its use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and efficacy in increasing its infection reach.”

Attackers have already abused this flaw in real-world campaigns. In the past year, it was exploited to spread different bots, including a Mirai-based strain, the ShadowV2 botnet, and a newer botnet known as RondoDox. In September 2025, CloudSEK revealed a large loader-as-a-service operation that pushed RondoDox, Mirai, and Morte malware by exploiting weak passwords and outdated vulnerabilities across routers, IoT systems, and enterprise software.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

A newly discovered Mirai malware variant named Nexcorium is actively targeting unpatched Internet of Things (IoT) devices. According to recent threat research from FortiGuard Labs, attackers are exploiting a severe vulnerability in TBK DVR systems to build a massive botnet capable of launching destructive distributed denial-of-service (DDoS) attacks. The campaign primarily focuses on CVE-2024-3721, a […]

The post Nexcorium Mirai Variant Weaponises TBK DVR Vulnerability in Fresh IoT Botnet Push appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware.

The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42.

A new Qrator Labs report reveals that the largest DDoS botnet has grown to 13.5 million devices, and…

The post Inside the Masjesu IoT Botnet’s 3-Year Stealth Reign appeared first on Daily CyberSecurity.

Hackers have left a live Twitter/X credential‑stuffing botnet effectively unlocked, exposing its full command‑and‑control stack, worker fleet, and root passwords to anyone who knows where to look. The C2 runs on a Windows Server 2019 instance hosted by Hetzner in Falkenstein, Germany, with RDP, SMB, and WinRM all exposed alongside the Flask panel, indicating a […]

The post Botnet Exposed: Hackers Leave Worker Access and Root Passwords Wide Open appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

The post Phorpiex’s New P2P Upgrade Makes This 15-Year-Old Botnet Unstoppable appeared first on Daily CyberSecurity.

Hackers are abusing the Masjesu botnet to run high-volume DDoS-for-hire attacks against routers, gateways, and other exposed IoT infrastructure, turning everyday network hardware into commercial attack firepower. Operating quietly since early 2023 and still active in 2026, Masjesu (also known as XorBot) shows how mature, stealth-focused botnets are reshaping the DDoS marketplace. Masjesu is a commercially run […]

The post Masjesu Botnet Targets Routers in Commercial DDoS Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A Russian hacker got 2 years in prison, $100K fine, and $1.6M judgment for running a botnet used in ransomware attacks on U.S. firms.

Russian national Ilya Angelov (40) was sentenced to 24 months in prison for operating a botnet used to carry out ransomware attacks on dozens of U.S. companies. He was also fined $100,000, and a $1.6 million money judgment was imposed. The case was announced by U.S. prosecutors and the FBI’s Detroit Field Division.

Between 2017 and 2021, Ilya Angelov co-managed a Russia-based cybercrime group known as TA551 (or Mario Kart), using aliases like “milan” and “okart.” The group built a botnet by spreading malware through spam email attachments. They then sold access to infected computers to other criminals, who used them to launch ransomware attacks, locking victims out of systems and demanding cryptocurrency payments to restore access.

“The FBI has identified over 70 U.S. corporations that were infected with ransomware by one organization linked to Angelov’s group, resulting in over $14 million in extortion payments.” reads the press release published by DoJ. “Another group that distributed ransomware paid Angelov’s group over a million dollars for access to the Mario Kart botnet.”

The attacks aimed to resell access to infected systems to other criminals for ransomware. From 2018 to 2019, TA551 gave the BitPaymer ransomware group access to its botnet, helping infect 72 U.S. companies and generate over $14.17 million in extortion payments.

Another cybercriminal group also paid over $1 million for access to the Mario Kart botnet.

“May this sentencing serve as a strong message to cyber criminals who believe they can hide behind screens and false identities: you cannot escape the FBI’s reach. You will be held accountable,” said Special Agent in Charge Jennifer Runyan of the FBI Detroit Field Office. “This successful investigation reflects the FBI’s ongoing commitment to identifying, tracking, and dismantling the criminal networks that financially exploit individuals and U.S. corporations. I would like to thank the FBI Detroit Cyber Task Force for their exceptional work in this investigation and to the U.S. Attorney’s Office for ensuring justice was achieved.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)