A stealthy botnet called Masjesu has been marketed as a DDoS-for-hire service since 2023, with Trellix saying in a Tuesday technical analysis that it targets IoT devices such as routers and gateways and is built for low visibility.
KEY FACTS
- Service model The botnet has been promoted on Telegram as a DDoS-for-hire offering.
- Targets It focuses on IoT devices across multiple architectures, including routers, cameras, DVRs and NVRs.
- Traffic Observed attacks came mainly from Vietnam, Ukraine, Iran, Brazil, Kenya and India.
- Behavior The malware opens a hard-coded TCP port, sets up persistence and connects to an external server for attack commands.
The report says the commercial offering is also known as XorBot, a name tied to its use of XOR-based encryption to hide strings, configurations and payload data. It was first documented in December 2023 by NSFOCUS, which linked it to an operator called synmaestro.
Masjesu is also described as self-propagating. It scans random IP addresses for open ports, tries to fold newly compromised devices into its infrastructure and includes exploitation attempts against Realtek routers using port 52869.
A later iteration noted in the report added 12 command injection and code execution exploits aimed at a range of brands, including D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link and Vacron. Trellix said the botnet appears to avoid sensitive critical organizations that could attract law enforcement attention.
Once a device is infected, the malware can stop common tools such as wget and curl, ignore termination signals and wait for instructions from a remote server. If it cannot bind to the hard-coded port, the attack chain ends immediately.
WHY IT MATTERS
The activity shows how DDoS services are being packaged for sale while staying difficult to detect and hard to disrupt. It also highlights continued risk for consumer and small-business IoT devices that remain exposed to scanning and exploitation.