DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet

Description

An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.