ZeroDay Field Notes - Rootkit Roulette: IoT Botnets, Kernel LPEs, and Pwn2Own Berlin
The week opened with IoT researchers staring at ADB-exposed devices and closed with a Linux kernel heap primitive that turns page-cache writes into root. In between, Pwn2Own Berlin reminded everyone that AI coding agents, local inference servers, and old browser UAFs remain the gift that keeps on giving. Defenders, that is your triage queue.
IoT Under the Microscope: ADB and the New Mirai Variant
Hunt.io published a deep dive into xlabs_v1, a Mirai-derived botnet that turns exposed Android TV boxes, set-top boxes, and residential routers, via ADB on TCP/5555, into a DDoS-for-hire service. The operator, going by "Tadashi," clearly prioritizes game-server takedowns, using 21 different flood methods including filter-bypassing RakNet and OpenVPN-shaped UDP traffic. More than four million devices remain exposed on TCP/5555. The debug build left behind on a Netherlands server gave researchers the full command-and-control panel, revealing tiered pricing, target lists, and the sweet spot for maximum disruption.
Chain potential: Pair this with the recent PPPP camera protocol research that showed default credentials, weak XOR encryption, and UDP hole-punching on consumer IoT. Once you have an initial foothold on a router or smart camera, sliding into the local network for broader reconnaissance gets a lot easier. Blue teams should be hunting for adb traffic to unexpected external IPs and monitoring for unusual UDP flood patterns aimed at gaming infrastructure.
Copy Fail Evolves: Dirty Frag Family Continues the LPE Party
Three new members of the Dirty Frag family dropped in quick succession. First, CVE-2026-31431 (Copy Fail), which uses a 4-byte out-of-bounds write in the AF_ALG AEAD interface to corrupt the page cache of SUID binaries for root escalation. Public PoCs are readily available, and CISA added it to KEV after confirmed active exploitation. Then came Fragnesia (CVE-2026-46300), exploiting an ESP-in-TCP logic flaw for deterministic page-cache writes. Finally, the original Dirty Frag (CVE-2026-43284 + CVE-2026-43500) chain hit distributions as old as kernel 4.14.
Mitigation pattern across the family remains consistent: blacklist the vulnerable modules (esp4, esp6, rxrpc, algif_aead) with a modprobe conf, drop caches, and update kernels. ReversingLabs found 163 exploit samples, ELF, Python, and malicious PyPI wheels, before public disclosure, which tells you the underground had already started stocking the shelf. Blue teams get YARA rules and eBPF detection hooks from the vendor writeups. Red teams can file this under: useful until everyone patches, then noisy.
Pwn2Own Berlin 2026: Day One Recap
ZDI released the Day One results from Pwn2Own Berlin, and the scoreboard tells an interesting story about where the attack surface is shifting. $523,000 was awarded across 24 unique zero-days, targeting:
- Microsoft Edge sandbox escapes, multiple logic bugs
- Windows 11 privilege escalation, UAF and buffer overflow chains
- NVIDIA Container Toolkit and Megatron Bridge
- Local AI inference tools: LiteLLM, OpenAI Codex, LM Studio, Chroma
- Red Hat Enterprise Linux for Workstations
The AI coding agents and local inference stack took significant damage. Four distinct sandbox escapes in Edge and various logic flaws in the LLM ecosystem suggest the browser and AI tooling combination is fertile ground for chain development. Blue teams hunting post-compromise should be watching for anomalous model loading, unexpected SSRF patterns, and unusual container escape artifacts.
Closing Reflection
This week's theme isn't any single bug class, it's the convergence: kernel LPEs that laugh at containers, IoT botnets scaling through commodity hardware, and Pwn2Own showing that AI tooling is now a first-class target. The underground doesn't need zero-days when they can chain a known kernel bug with a vulnerable router and a phishing lure. Operators should focus less on finding the perfect exploit and more on building reliable chains across the modern attack surface: kernel, IoT edge devices, and developer tooling.
The next engagement isn't about being the smartest person in the room. It's about having the right primitives loaded when the opportunity presents itself.
~ UncleSp1d3r