New Mirai-Derived Botnet xlabs_v1 Discovered Targeting IoT Devices
AI-generated from multiple sources. Verify before acting on this reporting.
AMSTERDAM — A new variant of the Mirai botnet, designated xlabs_v1, was discovered on an unsecured server in the Netherlands on Wednesday, marking a resurgence of commercial distributed denial-of-service (DDoS) operations targeting Internet of Things (IoT) devices. The malware, identified by Hunt.io researchers, is designed to compromise Android TVs and routers to facilitate DDoS-for-hire attacks against gaming and Minecraft servers.
The operator behind the campaign, known by the alias 'Tadashi' and associated with Offshore LC hosting services, deployed the botnet to exploit vulnerabilities in consumer electronics. The discovery occurred on May 7, 2026, when security analysts flagged the presence of the xlabs_v1 code on a server located in the Netherlands. The botnet's infrastructure appears to be structured to monetize attacks by selling access to compromised devices to clients seeking to disrupt online services.
Mirai, originally discovered in 2016, is a notorious malware family that infects IoT devices to create botnets capable of launching massive DDoS attacks. The xlabs_v1 variant represents an evolution of this threat, specifically tailored to target modern smart home devices and gaming infrastructure. Hunt.io researchers noted that the botnet's code includes modules for scanning networks and exploiting default credentials on routers and Android TV boxes, allowing attackers to rapidly expand their network of compromised devices.
The commercial nature of the operation suggests a shift in the threat landscape, where DDoS attacks are increasingly offered as a service to criminal groups or individuals seeking to disrupt specific targets. The targeting of Minecraft and game servers indicates a focus on high-traffic online environments where downtime can cause significant disruption and financial loss. Offshore LC hosting, linked to the operator 'Tadashi', has been identified as a provider of infrastructure for such illicit activities, offering services that obscure the origin of attacks.
Security experts warn that the proliferation of IoT devices continues to expand the attack surface for botnet operators. The xlabs_v1 botnet highlights the persistent vulnerability of consumer electronics, many of which lack robust security measures and are often left with default passwords. The discovery in the Netherlands underscores the global nature of cyber threats, where infrastructure in one country can be used to launch attacks against targets worldwide.
As of Wednesday, the full extent of the botnet's reach remains unclear. Hunt.io researchers are continuing to monitor the infrastructure to determine the number of compromised devices and the scale of the operation. The operator 'Tadashi' has not been identified, and no arrests have been made in connection with the discovery. Law enforcement agencies and cybersecurity firms are working to mitigate the threat, but the decentralized nature of IoT botnets presents significant challenges for takedown efforts.
The emergence of xlabs_v1 serves as a reminder of the ongoing risks posed by unsecured IoT devices. As the number of connected devices continues to grow, the potential for large-scale DDoS attacks increases, requiring heightened vigilance from both consumers and security professionals. The situation remains fluid, with further developments expected as researchers continue to analyze the botnet's capabilities and impact.