TUWOalfLlTi

Masjesu Botnet Targets Routers in Commercial DDoS Attacks

Hackers are abusing the Masjesu botnet to run high-volume DDoS-for-hire attacks against routers, gateways, and other exposed IoT infrastructure, turning everyday network hardware into commercial attack firepower.

Operating quietly since early 2023 and still active in 2026, Masjesu (also known as XorBot) shows how mature, stealth-focused botnets are reshaping the DDoS marketplace.

Masjesu is a commercially run IoT botnet advertised as a DDoS-for-hire service, with operators primarily using Telegram to attract paying customers.

Its operators prioritize long-term survival over explosive growth, deliberately avoiding blocklisted IP ranges such as U.S. Department of Defense networks and other sensitive allocations that could trigger rapid law-enforcement attention.

Trellix ARC recently analyzed the latest samples of this botnet, tailored for multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64.

Masjesu relies on XOR-based multi-stage encryption to hide configuration data, strings, and payloads, making static detection and signature-based scanning far less effective.

The malware scans random IP addresses and exploits known vulnerabilities in routers and gateways from vendors such as D-Link, GPON, Huawei, Netgear, TP-Link, and others to expand its footprint silently.

The botnet’s operators promote Masjesu on Telegram, where they have repeatedly rebuilt their presence after policy takedowns.

On October 10, 2025, they posted a couple screenshots showing metrics of the ACK flood DDoS attack that they have generated, which is ~290 Gbps (Gigabits per second).

ACK flood DDoS attack (in terms of packets per second) metrics shared on the Telegram channel (Source : Trellix).
ACK flood DDoS attack (in terms of packets per second) metrics shared on the Telegram channel (Source : Trellix).

An earlier channel with more than 2,000 subscribers was removed, and a new bilingual channel “Masjesu Botnet / 僵尸网络” launched in February 2025 now hosts rental details, feature updates, and performance screenshots for prospective buyers.

Recent posts in 2025–2026 show advertised and observed attack capacities close to 290–300 Gbps, placing Masjesu among the more dangerous DDoS platforms available on the underground market.

Shared metrics from the operators highlight traffic originating from a geographically diverse botnet, with compromised devices in countries such as Vietnam, Ukraine, Iran, Brazil, Kenya, and India, and Vietnam alone contributes close to half of the observed traffic.

The spread of source ASNs suggests Masjesu is built from many hijacked networks rather than a small cluster of VPS hosts, improving resilience and complicating takedowns.

Masjesu attack flow diagram (Source : Trellix).
Masjesu attack flow diagram (Source : Trellix).

On infected devices, Masjesu sets up a hardcoded TCP listener (port 55988) for direct operator access and then hardens itself by ignoring termination-related signals.

Sensitive strings such as C2 domains, IPs, and paths are stored in an encrypted lookup table and only decrypted at runtime using a multi-XOR routine, hindering reverse engineering and static IOC extraction.

Masjesu’s main function (Source : Trellix).
Masjesu’s main function (Source : Trellix).

For persistence, Masjesu renames its binary to mimic a legitimate system component (for example “usr/lib/ld-unix.so.2”), creates a cron job to relaunch itself every 15 minutes, daemonizes, and finally spoofs its process name as “/usr/lib/systemd/systemd-journald”.

It also kills competing tooling such as wget, curl, sshd, and binaries named like other botnets, then locks down the /tmp directory to prevent rival malware from gaining a foothold.

C2 infrastructure and DDoS methods

Masjesu’s command-and-control layer has evolved from a single domain-plus-fallback IP to multiple domains with backup addresses, improving resilience if individual domains are disrupted.

get_pid() function responsible for killing wget, curl and sshd processes (Source : Trellix).
get_pid() function responsible for killing wget, curl and sshd processes (Source : Trellix).

The malware cycles through this domain list, then falls back to a hardcoded IP, and finally pulls a “/.shell” script used to orchestrate scanning and exploitation for further spread.

Once connected, the bot uses a MethodInit-style routine to parse encrypted C2 commands and map them to specific DDoS modules.

Supported attacks include TCP floods, Valve Source Engine query floods, GRE and OSPF protocol floods, ICMP and IGMP floods, TCP SYN/ACK/ACKPSH variants, and HTTP floods that attempt to simulate browser-like traffic.

Randomized headers, spoofed IPs, and variable payloads make Masjesu traffic harder to distinguish from legitimate flows and more difficult to filter with static rules.

Organizations using routers, gateways, or DVRs on the public internet should immediately patch and update firmware, paying special attention to models from vendors already linked to Masjesu exploits.

Default passwords must be replaced with strong, unique credentials, and IoT devices should be segmented from critical networks wherever possible.

Monitoring outbound traffic for unusual HTTP connections, Masjesu-specific user agents, and repeated contact with known C2 domains or fallback IPs can help detect infected nodes early.

Security teams should also watch for suspicious cron jobs, binaries masquerading as system components, and unexpected process name changes in system directories, and deploy behavior-based endpoint and network detection tools capable of spotting DDoS malware at runtime rather than relying only on signatures.

IOCs

SHA256 Hash Build architecture
f39b67fff1f106fb1b4fa9beb386427c8e7eb010f306ad0445da70bffc855f2e MIPS
dfd830368724f6abcc542bc8b85e3d5fa2aedf8282d3805d0d6d53f45c7e0937 ARM
de5fb68023465cb5d8ace412e11032d98a41bd6af2a83245c046020530130496 AMD64
d8018e31b77b135ed300a988757f409347d013b76f9c9a4972e48cb715f45967 MIPS
cb4a3665ebd12bdb094b9fc188793c67ec3008363a49b1dde00d488b54df984b 386
b53d4781bbadb17014da280e274e11f2de9063a35f2eabd32d4596707b147306 PowerPC
4190491b9006404cab256d66125bd77b1c3a0e63451fbb3d829617d7e87acc9b PowerPC
85758df12964024af3ae829e3630f9ad5de7c55dae00181198033da8816e3293 M68K
8340ff8920412a70f0c29cdf72f6f218e61142b3f210e70e24811c413971a8ed 386
620f6949b82f9ef987b7511fbbb09c2da57d8be47b019fa6a9686ce08b4c3e70 ARM
87f11a3ee2486bc4845a28465c2e70d2d9f98725edf4a73c3359c23a43ed74b7 ARM
9c683b0be86d4cd274a7a16073bdf092218f259b055a72f848d589574e9b8084 ARM
8ce9145fee0d3d2444554d901b334c36e71bb1346280ada7ff366cf9d25c5938 SPARC

Related Articles

Back to top button