Cybersecurity researchers have uncovered details about a stealth-focused botnet known as Masjesu, a growing threat built to launch distributed denial-of-service (DDoS) attacks while staying under the radar.
First appearing around 2023, Masjesu has been promoted on Telegram as a paid DDoS service. It targets a wide range of Internet of Things (IoT) devices, including routers, gateways, cameras, and other network-connected hardware across multiple system architectures.
Built for Stealth and Longevity
Unlike many aggressive botnets that spread rapidly, Masjesu takes a quieter approach. Its design focuses on persistence and avoiding detection.
One of its key tactics is deliberately steering clear of high-profile targets, such as government infrastructure. By avoiding networks linked to organizations like the U.S. Department of Defense, the botnet reduces the risk of drawing attention and extends its operational lifespan.
Also Known as XorBot
Masjesu is sometimes referred to as XorBot, a name derived from its use of XOR-based encryption. This technique helps hide its internal data, including configuration details and payloads, making analysis more difficult.
Earlier research linked the botnet to an operator known as “synmaestro,” and since then, it has continued to evolve with new features and attack methods.
Expanding Attack Capabilities
Over time, Masjesu has added multiple exploits that allow it to compromise a wide variety of devices. These include vulnerabilities in products from well-known vendors such as:
- D-Link
- TP-Link
- Huawei
- NETGEAR
- GPON
- Intelbras
The botnet has also introduced additional modules specifically designed for launching different types of DDoS flood attacks.
Global Reach of Infected Devices
Traffic linked to Masjesu has been observed coming from multiple regions, including:
- Vietnam
- Ukraine
- Iran
- Brazil
- Kenya
- India
Vietnam alone accounts for a large portion of the activity, indicating a significant concentration of infected systems in that region.
How the Malware Operates
Once a device is compromised, Masjesu establishes a communication channel by opening a specific TCP port. This allows attackers to connect directly to the infected system.
From there, the malware:
- Maintains persistence by resisting shutdown attempts
- Disables certain system tools that could interfere with its operation
- Connects to a command-and-control server for instructions
- Executes DDoS attacks against selected targets
Self-Propagation and Device Scanning
Masjesu is capable of spreading on its own by scanning random IP addresses for vulnerable systems. It looks for open ports and exploits known weaknesses to bring new devices into its network.
One notable method involves targeting Realtek-based routers by scanning for a specific port linked to their management service. This technique has also been used by older botnets like JenX and Satori.
Why This Botnet Matters
Masjesu’s strategy shows how modern botnets are evolving. Instead of relying only on brute force and large-scale infections, this botnet emphasizes:
- Stealth over noise
- Long-term control over rapid spread
- Flexible monetization through DDoS-for-hire services
By combining careful targeting with continuous development, Masjesu is positioning itself as a persistent threat in the IoT landscape.
Final Insight
The growth of Masjesu highlights the ongoing risks tied to unsecured IoT devices. As more systems remain exposed or poorly configured, attackers continue to find new ways to build resilient botnets.
For organizations and individuals alike, securing network devices and keeping firmware updated is critical to reducing the risk of becoming part of these hidden attack networks.