Masjesu Botnet: The Stealthy DDoS-for-Hire Service Hijacking IoT Devices Worldwide

-


What Is Masjesu?

Cybersecurity researchers at Trellix have pulled back the curtain on a sophisticated and deliberately low-profile botnet known as Masjesu, a DDoS-for-hire operation that has been quietly recruiting customers and compromising devices globally since it first appeared in 2023.

Marketed openly on Telegram, Masjesu offers paying clients the ability to launch volumetric Distributed Denial-of-Service (DDoS) attacks against virtually any target. What makes it particularly dangerous is not its raw power, but its design philosophy: stealth, persistence, and strategic evasion over aggressive widespread infection.

How It Works

Once Masjesu's malware lands on a compromised IoT device, typically a router or gateway, it follows a precise sequence of actions:

  1. It attempts to bind a socket to a hard-coded TCP port (55988), which allows the attacker to connect to the device directly. If this fails, the execution chain terminates immediately, a deliberate fail-safe to avoid detection.
  2. If successful, it establishes persistence and configures itself to ignore system termination signals, making it difficult to remove.
  3. It terminates common download utilities like wget and curl, a move designed to disrupt competing botnets and consolidate its hold over infected devices.
  4. It then phones home to an external command-and-control server to await DDoS instructions.

Beyond receiving attack commands, Masjesu is also capable of self-propagation, it actively scans random IP address ranges for open ports and attempts to compromise new devices, continuously growing its own infrastructure.

Who and What Is Being Targeted?

Masjesu casts a wide net across IoT devices from multiple manufacturers and CPU architectures. Its list of targets includes routers, cameras, DVRs, and NVRs from brands such as D-Link, Huawei, TP-Link, NETGEAR, Intelbras, MVPower, Vacron, Eir, and GPON. A notable addition to its exploitation toolkit is a scanner for Realtek routers, specifically probing port 52889 associated with the Realtek SDK's miniigd daemon the same technique previously used by other botnets including JenX and Satori.

Attack traffic originating from the Masjesu botnet has been traced primarily to Vietnam (accounting for roughly half of all observed traffic), followed by Ukraine, Iran, Brazil, Kenya, and India. The botnet is marketed as being particularly effective against Content Delivery Networks (CDNs), game servers, and enterprise environments.

The Stealth Strategy: Stay Small, Stay Alive

What distinguishes Masjesu from noisier botnets is its deliberate strategy to remain under the radar. Rather than pursuing mass infection at any cost, the operators have programmed the malware to avoid entire IP ranges belonging to sensitive or high-profile organizations, including the U.S. Department of Defense (DoD) that could attract serious law enforcement attention.

This careful approach is intentional: by staying away from targets that would trigger a major response, the botnet maximizes its long-term operational lifespan. It's a calculated trade-off between scale and survival.

The XorBot Connection

Masjesu is also tracked under the name XorBot, a reference to its use of XOR-based encryption to hide its configuration strings, payload data, and internal logic from security tools. The malware was first documented by Chinese security firm NSFOCUS in December 2023, where it was tied to an operator using the handle "synmaestro."

Since its initial discovery, the botnet has evolved considerably, adding over a dozen command injection and code execution exploits, expanding its target device list, and integrating new DDoS flood attack modules.

The Bigger Picture: Botnets Going Commercial

Masjesu is part of a broader and growing trend: the commercialization of botnet infrastructure. By advertising their capabilities on Telegram and structuring attacks as a paid service, operators lower the barrier to entry for anyone looking to conduct cyberattacks, no technical expertise required, just a payment.

As NSFOCUS noted when tracking XorBot's evolution: these operators are increasingly turning to social media and messaging platforms not just for customer acquisition, but also as a foundation for expanding their botnet's reach and building a reliable customer base over time.

What Should You Do?

If you manage IoT devices or network infrastructure, here are the key defenses:

  1. Change default credentials on all routers, cameras, and gateways, Masjesu relies on weak or default authentication to gain initial access
  2. Keep firmware updated, many of the exploits used by this botnet target known, patchable vulnerabilities
  3. Block unnecessary outbound connections from IoT devices, particularly to unknown external IPs
  4. Monitor for unusual traffic patterns, especially unexpected outbound TCP connections on non-standard ports like 55988
  5. Segment your IoT devices from critical systems on a separate network VLAN
  6. Disable unused services and ports on network devices to reduce the attack surface

Key Takeaway

Masjesu is a textbook example of how modern botnets operate: patient, stealthy, commercially motivated, and globally distributed. The fact that it deliberately avoids high-profile targets is not a sign of restraint, it's a sign of sophistication. Organizations of all sizes remain valid targets, and the low-key nature of this botnet means compromised devices may go undetected for months.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more