{"id":45242,"date":"2026-04-09T05:31:24","date_gmt":"2026-04-08T21:31:24","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/09\/masjesu-botnet-emerges-as-ddos-for-hire-service-targeting-global-iot-devices\/"},"modified":"2026-04-09T05:31:24","modified_gmt":"2026-04-08T21:31:24","slug":"masjesu-botnet-emerges-as-ddos-for-hire-service-targeting-global-iot-devices","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/09\/masjesu-botnet-emerges-as-ddos-for-hire-service-targeting-global-iot-devices\/","title":{"rendered":"Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices"},"content":{"rendered":"<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjVrpJtAgJfASiMYseJhDzJoT1ly7iXa_e_Y_4TBhGIkVGCJ_ZLDM-tGb1Y9NWcOpOcH-xUZUfDiM0fuvUIabEa_5xSbgGjgL8U4FPE99W-V6-oFRAG1ziEZeiJPYrkSZZrwu0jQDjhdUfKsiSxPgZbyZgF1A-cUOqUK3aJpSOQgeSZWogg1X9r77IANDey\/s1600\/ddos-for-hire.jpg\" style=\"clear: left; display: block; float: left; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjVrpJtAgJfASiMYseJhDzJoT1ly7iXa_e_Y_4TBhGIkVGCJ_ZLDM-tGb1Y9NWcOpOcH-xUZUfDiM0fuvUIabEa_5xSbgGjgL8U4FPE99W-V6-oFRAG1ziEZeiJPYrkSZZrwu0jQDjhdUfKsiSxPgZbyZgF1A-cUOqUK3aJpSOQgeSZWogg1X9r77IANDey\/s16000\/ddos-for-hire.jpg\" title=\"Masjesu Botnet\" alt=\"Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices\" \/><\/a><\/div>\n<p>Cybersecurity researchers have lifted the curtain on a stealthy botnet that&#8217;s designed for distributed denial-of-service (DDoS)&nbsp;attacks.<\/p>\n<p>Called <strong>Masjesu<\/strong>, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It&#8217;s capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures.<\/p>\n<p>&#8220;Built for persistence and low visibility, Masjesu favors careful, low-key execution over widespread infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense (DoD) to ensure long-term survival,&#8221; Trellix security researcher Mohideen Abdul Khader&nbsp;F <a href=\"https:\/\/www.trellix.com\/blogs\/research\/masjesu-rising-stealth-iot-botnet-ddos-evasion\/\">said<\/a> in a Tuesday&nbsp;report.<\/p>\n<p>It&#8217;s worth noting that the commercial offering also goes by the moniker XorBot owing to its use of XOR-based encryption to conceal strings, configurations, and payload data. It&nbsp;was <a href=\"https:\/\/nsfocusglobal.com\/xorbot-a-stealthy-botnet-family-that-defies-detection\/\">first documented<\/a> by Chinese security vendor NSFOCUS in December 2023, linking it to an operator named &#8220;synmaestro.&#8221;<\/p>\n<p> <a name=\"more\"><\/a> <\/p>\n<p>A <a href=\"https:\/\/thehackernews.com\/2024\/11\/matrix-botnet-exploits-iot-devices-in.html\">subsequent&nbsp;iteration<\/a> of the botnet observed a year later was found to have added 12 different command injection and code execution exploits to target routers, cameras, DVRs, and NVRs from D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link, and Vacron, and obtain initial access. Also&nbsp;added were new modules to conduct DDoS flood&nbsp;attacks.<\/p>\n<p>&#8220;As an emerging botnet family, XorBot is showing a strong growth momentum, continuously infiltrating and controlling new IoT devices,&#8221; NSFOCUS said in November 2024. &#8220;Notably, these controllers are increasingly inclined to use social media platforms such as Telegram as the main channels for recruitment and promotion, attracting target &#8216;customers&#8217; through initial active promotional activities, laying a solid foundation for the subsequent expansion and development of the&nbsp;botnet.&#8221;<\/p>\n<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh9VFi6NM0Zg-maVrfeGqcmUTV1X2VYj4osMgtOf3BjwbhLOqJEPR-Fa94HK8y0aAT-WpvgcQHWMQivbNOak6uzI0CRc4u_rg4sSwtF5CeRz6gs561X3kr7W30PFa6TbB912gkqACDtBqmET3Uvfwj4DIvEl8S724lE0-5EwqXoAozwfspDxodDcnSOEc2l\/s1600\/masjesu-botnet.jpg\" style=\"clear: left; display: block; float: left; padding: 1em 0px; text-align: center;\"><img decoding=\"async\" border=\"0\" data-original-height=\"1024\" data-original-width=\"1024\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh9VFi6NM0Zg-maVrfeGqcmUTV1X2VYj4osMgtOf3BjwbhLOqJEPR-Fa94HK8y0aAT-WpvgcQHWMQivbNOak6uzI0CRc4u_rg4sSwtF5CeRz6gs561X3kr7W30PFa6TbB912gkqACDtBqmET3Uvfwj4DIvEl8S724lE0-5EwqXoAozwfspDxodDcnSOEc2l\/s1600\/masjesu-botnet.jpg\" alt=\"Masjesu Botnet Emerges as DDoS-for-Hire Service Targeting Global IoT Devices\" \/><\/a><\/div>\n<p>The latest findings from Trellix show that Masjesu has marketed the ability to carry out volumetric DDoS attacks, emphasizing its diverse botnet infrastructure and its suitability for targeting content delivery networks (CDNs), game servers, and enterprises. Attacks mounted by the botnet primarily originate from Vietnam, Ukraine, Iran, Brazil, Kenya, and India, with Vietnam accounting for nearly 50% of the observed&nbsp;traffic.<\/p>\n<p>Once&nbsp;deployed on a compromised device, the&nbsp;malware moves to&nbsp;create&nbsp;and bind a&nbsp;socket with a hard-coded TCP port&nbsp;(55988) to&nbsp;enable the attacker to connect&nbsp;directly. If&nbsp;this operation fails, the attack&nbsp;chain is immediately&nbsp;killed.<\/p>\n<p>Otherwise, the malware proceeds&nbsp;to set&nbsp;up persistence, ignore termination-related signals, stop commonly used processes like wget and curl, possibly to disrupt competing botnets, and then connects to an external server to receive DDoS attack&nbsp;commands for executing&nbsp;them against targets of&nbsp;interest.<\/p>\n<p>Masjesu also boasts of self-propagating capabilities, allowing it to probe random IP addresses for open ports and wrangle successfully compromised devices into its infrastructure. One&nbsp;notable addition to the list of exploitation targets is Realtek routers,&nbsp;which is carried&nbsp;out by scanning for 52869 &#8211; a port associated&nbsp;with <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/19\/c\/upnp-enabled-connected-devices-in-home-unpatched-known-vulnerabilities.html\">Realtek&nbsp;SDK&#8217;s<\/a><a href=\"https:\/\/www.akamai.com\/blog\/security\/universal-plug-and-play-upnp-what-you-need-to-know\">miniigd<\/a>&nbsp;daemon. Multiple DDoS botnets, such&nbsp;as <a href=\"https:\/\/www.radware.com\/security\/ddos-threats-attacks\/threat-advisories-attack-reports\/jenx\/\">JenX<\/a>&nbsp;and <a href=\"https:\/\/ics-cert.kaspersky.com\/publications\/blog\/2017\/12\/14\/satori\/\">Satori<\/a>, have embraced&nbsp;the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/satori-adds-known-exploit-chain-to-slave-wireless-ip-cameras\">same&nbsp;approach<\/a> in the&nbsp;past.<\/p>\n<p>&#8220;The botnet continues to expand by infecting a broad range of IoT devices across multiple architectures and manufacturers,&#8221; Trellix said. &#8220;Notably, Masjesu appears to avoid targeting sensitive critical organizations that could trigger significant legal or law-enforcement attention, a strategy that likely improves its long-term survivability.&#8221;<\/p>\n<div><\/div>\n<div>Found this article interesting?  Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have lifted the curtain on a stealthy botnet that&#8217;s designed for distributed denial-of-service (DDoS)&nbsp;attacks.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-45242","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45242"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45242\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}