{"id":541,"date":"2026-04-08T17:31:07","date_gmt":"2026-04-08T17:31:07","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=541"},"modified":"2026-04-08T17:31:07","modified_gmt":"2026-04-08T17:31:07","slug":"masjesu-botnet-emerges-as-ddos-for-hire-service-targeting-global-iot-devices","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=541","title":{"rendered":"Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 08, 2026<\/span><\/span>IoT Security \/ Network Security<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have lifted the curtain on a stealthy botnet that’s designed for distributed denial-of-service (DDoS)\u00a0attacks.<\/p>\n

Called Masjesu<\/strong>, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It’s capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures.<\/p>\n

\u00abBuilt for persistence and low visibility, Masjesu favors careful, low-key execution over widespread infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense (DoD) to ensure long-term survival,\u00bb Trellix security researcher Mohideen Abdul Khader\u00a0F said<\/a> in a Tuesday\u00a0report.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

It’s worth noting that the commercial offering also goes by the moniker XorBot owing to its use of XOR-based encryption to conceal strings, configurations, and payload data. It\u00a0was first documented<\/a> by Chinese security vendor NSFOCUS in December 2023, linking it to an operator named \u00absynmaestro.\u00bb<\/p>\n

A subsequent\u00a0iteration of the botnet observed a year later was found to have added 12 different command injection and code execution exploits to target routers, cameras, DVRs, and NVRs from D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link, and Vacron, and obtain initial access. Also\u00a0added were new modules to conduct DDoS flood\u00a0attacks.<\/p>\n

\u00abAs an emerging botnet family, XorBot is showing a strong growth momentum, continuously infiltrating and controlling new IoT devices,\u00bb NSFOCUS said in November 2024. \u00abNotably, these controllers are increasingly inclined to use social media platforms such as Telegram as the main channels for recruitment and promotion, attracting target ‘customers’ through initial active promotional activities, laying a solid foundation for the subsequent expansion and development of the\u00a0botnet.\u00bb<\/p>\n

\"\"<\/a><\/div>\n

The latest findings from Trellix show that Masjesu has marketed the ability to carry out volumetric DDoS attacks, emphasizing its diverse botnet infrastructure and its suitability for targeting content delivery networks (CDNs), game servers, and enterprises. Attacks mounted by the botnet primarily originate from Vietnam, Ukraine, Iran, Brazil, Kenya, and India, with Vietnam accounting for nearly 50% of the observed\u00a0traffic.<\/p>\n

Once\u00a0deployed on a compromised device, the\u00a0malware moves to\u00a0create\u00a0and bind a\u00a0socket with a hard-coded TCP port\u00a0(55988) to\u00a0enable the attacker to connect\u00a0directly. If\u00a0this operation fails, the attack\u00a0chain is immediately\u00a0killed.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

Otherwise, the malware proceeds\u00a0to set\u00a0up persistence, ignore termination-related signals, stop commonly used processes like wget and curl, possibly to disrupt competing botnets, and then connects to an external server to receive DDoS attack\u00a0commands for executing\u00a0them against targets of\u00a0interest.<\/p>\n

Masjesu also boasts of self-propagating capabilities, allowing it to probe random IP addresses for open ports and wrangle successfully compromised devices into its infrastructure. One\u00a0notable addition to the list of exploitation targets is Realtek routers,\u00a0which is carried\u00a0out by scanning for 52869 \u2013 a port associated\u00a0with Realtek\u00a0SDK’s<\/a>miniigd<\/a>\u00a0daemon. Multiple DDoS botnets, such\u00a0as JenX<\/a>\u00a0and Satori<\/a>, have embraced\u00a0the same\u00a0approach<\/a> in the\u00a0past.<\/p>\n

\u00abThe botnet continues to expand by infecting a broad range of IoT devices across multiple architectures and manufacturers,\u00bb Trellix said. \u00abNotably, Masjesu appears to avoid targeting sensitive critical organizations that could trigger significant legal or law-enforcement attention, a strategy that likely improves its long-term survivability.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 08, 2026IoT Security \/ Network Security Cybersecurity researchers have lifted the curtain on a stealthy botnet that’s designed for distributed denial-of-service (DDoS)\u00a0attacks. Called Masjesu, the botnet has been…<\/p>\n","protected":false},"author":1,"featured_media":542,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[192,1127,175,1126,597,780,1125,572,431],"class_list":["post-541","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-botnet","tag-ddosforhire","tag-devices","tag-emerges","tag-global","tag-iot","tag-masjesu","tag-service","tag-targeting"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=541"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/541\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/542"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}