Masjesu Botnet: A Stealthy DDoS-for-Hire Threat Expands Its Reach
Cybersecurity researchers have uncovered Masjesu, a sophisticated botnet operating as a DDoS-for-hire service since 2023. Marketed via Telegram under the alias XorBot, the malware targets IoT devices including routers, cameras, and gateways across multiple architectures, employing XOR-based encryption to evade detection.
First documented by Chinese security firm NSFOCUS in December 2023 and linked to an operator known as synmaestro, Masjesu has since evolved. A 2024 update introduced 12 new exploits targeting devices from D-Link, Huawei, NETGEAR, TP-Link, and others, alongside enhanced DDoS flood modules. Researchers note its rapid growth, with attackers increasingly leveraging Telegram for recruitment and promotion.
Trellix’s recent analysis reveals Masjesu’s focus on volumetric DDoS attacks, particularly against CDNs, game servers, and enterprises. The botnet’s infrastructure is heavily concentrated in Vietnam (nearly 50% of observed traffic), with additional activity in Ukraine, Iran, Brazil, Kenya, and India. Once deployed, the malware establishes persistence, disables competing processes, and connects to command servers to execute attacks.
Masjesu also self-propagates by scanning for vulnerable devices, including Realtek routers via port 52869 a tactic previously used by botnets like JenX and Satori. Notably, the botnet avoids high-profile targets like the U.S. Department of Defense to minimize legal scrutiny, prioritizing long-term survival over mass infection.
As IoT exploitation expands, Masjesu’s low-visibility approach and social media-driven recruitment underscore its adaptability as a persistent cyber threat.
Source: https://thehackernews.com/2026/04/masjesu-botnet-emerges-as-ddos-for-hire.html
Huawei cybersecurity rating report: https://www.rankiteo.com/company/huawei
D-Link South East Asia cybersecurity rating report: https://www.rankiteo.com/company/dlinkforbusiness
TP-Link Systems Inc. cybersecurity rating report: https://www.rankiteo.com/company/tp-link
NETGEAR cybersecurity rating report: https://www.rankiteo.com/company/netgear
"id": "HUADLITP-NET1775672907",
"linkid": "huawei, dlinkforbusiness, tp-link, netgear",
"type": "Cyber Attack",
"date": "11/2024",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': ['CDN', 'Gaming', 'General Enterprise'],
'location': ['Vietnam',
'Ukraine',
'Iran',
'Brazil',
'Kenya',
'India'],
'type': 'Enterprise'},
{'industry': ['Technology'],
'type': 'IoT Device Manufacturers'}],
'attack_vector': ['Exploiting vulnerable IoT devices',
'Self-propagation via scanning'],
'data_breach': {'data_encryption': 'XOR-based encryption'},
'date_detected': '2023',
'date_publicly_disclosed': '2023-12',
'description': 'Cybersecurity researchers have uncovered *Masjesu*, a '
'sophisticated botnet operating as a DDoS-for-hire service '
'since 2023. Marketed via Telegram under the alias *XorBot*, '
'the malware targets IoT devices including routers, cameras, '
'and gateways across multiple architectures, employing '
'XOR-based encryption to evade detection. The botnet has '
'evolved with 12 new exploits targeting devices from D-Link, '
'Huawei, NETGEAR, TP-Link, and others, alongside enhanced DDoS '
'flood modules. It focuses on volumetric DDoS attacks against '
'CDNs, game servers, and enterprises, with infrastructure '
'concentrated in Vietnam, Ukraine, Iran, Brazil, Kenya, and '
'India. The malware self-propagates by scanning for vulnerable '
'devices and avoids high-profile targets to minimize legal '
'scrutiny.',
'impact': {'operational_impact': ['Disruption of CDNs, game servers, and '
'enterprises via volumetric DDoS attacks'],
'systems_affected': ['IoT devices (routers, cameras, gateways)']},
'investigation_status': 'Ongoing',
'lessons_learned': "The botnet's low-visibility approach and social "
'media-driven recruitment highlight its adaptability and '
'persistence as a cyber threat. Avoiding high-profile '
'targets minimizes legal scrutiny, enabling long-term '
'survival.',
'motivation': ['Financial gain (DDoS-for-hire service)',
'Long-term survival with low visibility'],
'post_incident_analysis': {'root_causes': ['Exploitation of unpatched IoT '
'devices',
'Self-propagating malware via '
'scanning']},
'recommendations': ['Enhance monitoring of IoT devices for unusual activity',
'Patch vulnerable devices to prevent exploitation',
'Implement DDoS mitigation strategies for CDNs and game '
'servers',
'Monitor Telegram and other social platforms for emerging '
'threats'],
'references': [{'source': 'NSFOCUS'}, {'source': 'Trellix'}],
'response': {'third_party_assistance': ['NSFOCUS', 'Trellix']},
'threat_actor': 'synmaestro (alias: XorBot)',
'title': 'Masjesu Botnet: A Stealthy DDoS-for-Hire Threat Expands Its Reach',
'type': 'DDoS-for-Hire Botnet',
'vulnerability_exploited': ['12 new exploits targeting D-Link, Huawei, '
'NETGEAR, TP-Link, and other devices',
'Realtek routers via port 52869']}