Masjesu, also known as XorBot, is an emerging stealth-focused botnet operating as a DDoS-for-hire service, targeting vulnerable IoT devices such as routers, cameras, and network gateways across multiple architectures. Designed for persistence and low visibility, the botnet avoids high-profile targeting while steadily expanding its global footprint through encrypted communications, self-propagation, and exploitation of multiple vulnerabilities.
The botnet enables attackers to launch large-scale volumetric DDoS attacks against enterprises, content delivery networks, and gaming platforms. Its evolution reflects the growing commercialization of cybercrime, persistent weaknesses in IoT ecosystems, and the urgent need for organizations to strengthen device security, monitoring, and network defences.
Masjesu is a multi-architecture IoT botnet that gains initial access through a range of command injection and remote code execution vulnerabilities affecting devices from vendors such as D-Link, TP-Link, and Realtek. Once executed, the malware attempts to bind to a predefined TCP port (55988) to establish a direct communication channel with attackers, terminating execution if unsuccessful.
Persistence is achieved by ignoring termination signals, suppressing competing processes such as wget and curl, and maintaining continuous communication with command-and-control infrastructure using XOR-based obfuscation for configuration data and payloads.
The botnet also incorporates self-propagation capabilities by scanning random IP ranges for exposed services, particularly targeting ports associated with known vulnerabilities. Infected devices respond to commands by executing various DDoS flooding techniques, forming a distributed and resilient attack infrastructure optimized for stealth, scalability, and long-term operation. The details and technicalities of the attack campaign are discussed further,
Masjesu spreads by exploiting exposed IoT services, particularly vulnerabilities in routers, DVRs, NVRs, and IP cameras. It continuously scans the internet for devices with open management interfaces or service ports such as 23, 80, and 52869, gaining access through command injection or remote code execution techniques.
The Infection chain was identified as follows,
Masjesu demonstrates strong capabilities in persistence, evasion, and distributed attack execution. As a multi-architecture malware, it can infect a wide range of IoT devices, enabling large-scale botnet formation. The use of XOR-based obfuscation conceals configuration data and payloads, complicating detection and analysis.
The malware ensures persistence by binding to a dedicated communication port, ignoring termination signals, and actively suppressing competing malware or system processes. Its self-propagation capability allows rapid expansion by scanning and exploiting vulnerable devices without external coordination.
Infected nodes can execute multiple volumetric DDoS attack techniques under command-and-control direction. This results in a geographically distributed attack network that is highly resilient, difficult to detect, and capable of sustaining prolonged attack campaigns.
Masjesu has been active since at least 2023 and is linked to an operator identified as “synmaestro.” Initially identified by security researchers, the botnet has evolved significantly by expanding its exploit capabilities and improving evasion techniques.
It has transitioned into a commercial DDoS-for-hire service, actively promoted through platforms such as Telegram. This evolution highlights a broader trend toward the professionalization and monetization of cybercrime, where sophisticated attack capabilities are increasingly offered as accessible services.
Current activity indicates a globally distributed botnet, with significant concentrations of infected devices and attack traffic originating from regions such as Vietnam, Ukraine, Iran, Brazil, Kenya, and India. A notable portion of activity has been observed in Vietnam.
The decentralized nature of the botnet, combined with the use of compromised IoT devices, enables geographically diverse attack traffic. This distribution increases the effectiveness of DDoS campaigns and complicates mitigation efforts for targeted organizations.
Masjesu represents the next generation of IoT botnets, characterized by stealth, adaptability, and commercial intent. Its ability to combine low-detection techniques, self-propagation, and multi-platform targeting highlights ongoing weaknesses in IoT security.
Organizations must adopt proactive security measures, including device hardening, network segmentation, continuous monitoring, and timely patching, to mitigate the growing threat of botnet-driven DDoS attacks.
Masjesu enables large-scale DDoS attacks that can disrupt operations, degrade service availability, and impact customer experience. Enterprises, content delivery networks, and online platforms are particularly at risk.
The botnet’s persistence and ability to evade detection increase its operational lifespan, while its reliance on widely deployed IoT devices amplifies its scale. The commercialization of such capabilities lowers the barrier to entry for attackers, significantly increasing the overall threat landscape.
https://www.trellix.com/blogs/research/masjesu-rising-stealth-iot-botnet-ddos-evasion/
