CVE-2017-17215

Trellix ARC researchers have detailed Masjesu (also known as XorBot) — a commercially operated DDoS-for-hire botnet active since 2023 that targets routers and IoT devices from D-Link, Netgear, TP-Link, Huawei, and others, advertising attack capacity of 290 to 300 Gbps through a Telegram channel while deliberately avoiding law enforcement tripwires to ensure long-term survival.

Severity

high

CVSS Score

8.1 / 10

Exploitation

Actively exploited

Published

Apr 8, 2026

Affected Products

›D-Link routers — multiple models targeted via CVE-2014-8361 and others
›Huawei routers — CVE-2017-17215 exploited for propagation
›TP-Link routers — CVE-2023-1389 among exploits used
›Netgear routers — multiple models affected
›GPON routers — exploited via known vulnerabilities
›MVPower DVRs — targeted for recruitment into botnet
›Any IoT device with UPnP services exposed or running default credentials

Key Facts

›Masjesu (also tracked as XorBot) is a commercially operated DDoS-for-hire botnet active since 2023, advertised openly on Telegram with documented attack capacity of 290 to 300 Gbps
›It targets routers and IoT devices from D-Link, Netgear, TP-Link, Huawei, and others — primarily using known CVEs and default credentials, with Vietnam accounting for nearly half of all infected devices
›Unlike most botnets, Masjesu deliberately avoids US Department of Defense IP ranges and other sensitive allocations to stay under the law enforcement radar — prioritising long-term survival over maximum impact
›The malware supports 12+ DDoS attack methods, uses multi-XOR encryption to hide C2 data, and renames itself to mimic system components — making detection and removal significantly harder

Full Analysis

Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles