Masjesu Botnet Targets Routers in Commercial DDoS Attacks
Hackers are abusing the Masjesu botnet to run high-volume DDoS-for-hire attacks against routers, gateways, and other exposed IoT infrastructure, turning everyday network hardware into commercial attack firepower.
Operating quietly since early 2023 and still active in 2026, Masjesu (also known as XorBot) shows how mature, stealth-focused botnets are reshaping the DDoS marketplace.
Masjesu is a commercially run IoT botnet advertised as a DDoS-for-hire service, with operators primarily using Telegram to attract paying customers.
Its operators prioritize long-term survival over explosive growth, deliberately avoiding blocklisted IP ranges such as U.S. Department of Defense networks and other sensitive allocations that could trigger rapid law-enforcement attention.
Trellix ARC recently analyzed the latest samples of this botnet, tailored for multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64.
Masjesu relies on XOR-based multi-stage encryption to hide configuration data, strings, and payloads, making static detection and signature-based scanning far less effective.
The malware scans random IP addresses and exploits known vulnerabilities in routers and gateways from vendors such as D-Link, GPON, Huawei, Netgear, TP-Link, and others to expand its footprint silently.
The botnet’s operators promote Masjesu on Telegram, where they have repeatedly rebuilt their presence after policy takedowns.
On October 10, 2025, they posted a couple screenshots showing metrics of the ACK flood DDoS attack that they have generated, which is ~290 Gbps (Gigabits per second).

An earlier channel with more than 2,000 subscribers was removed, and a new bilingual channel “Masjesu Botnet / 僵尸网络” launched in February 2025 now hosts rental details, feature updates, and performance screenshots for prospective buyers.
Recent posts in 2025–2026 show advertised and observed attack capacities close to 290–300 Gbps, placing Masjesu among the more dangerous DDoS platforms available on the underground market.
Shared metrics from the operators highlight traffic originating from a geographically diverse botnet, with compromised devices in countries such as Vietnam, Ukraine, Iran, Brazil, Kenya, and India, and Vietnam alone contributes close to half of the observed traffic.
The spread of source ASNs suggests Masjesu is built from many hijacked networks rather than a small cluster of VPS hosts, improving resilience and complicating takedowns.

On infected devices, Masjesu sets up a hardcoded TCP listener (port 55988) for direct operator access and then hardens itself by ignoring termination-related signals.
Sensitive strings such as C2 domains, IPs, and paths are stored in an encrypted lookup table and only decrypted at runtime using a multi-XOR routine, hindering reverse engineering and static IOC extraction.

For persistence, Masjesu renames its binary to mimic a legitimate system component (for example “usr/lib/ld-unix.so.2”), creates a cron job to relaunch itself every 15 minutes, daemonizes, and finally spoofs its process name as “/usr/lib/systemd/systemd-journald”.
It also kills competing tooling such as wget, curl, sshd, and binaries named like other botnets, then locks down the /tmp directory to prevent rival malware from gaining a foothold.
C2 infrastructure and DDoS methods
Masjesu’s command-and-control layer has evolved from a single domain-plus-fallback IP to multiple domains with backup addresses, improving resilience if individual domains are disrupted.

The malware cycles through this domain list, then falls back to a hardcoded IP, and finally pulls a “/.shell” script used to orchestrate scanning and exploitation for further spread.
Once connected, the bot uses a MethodInit-style routine to parse encrypted C2 commands and map them to specific DDoS modules.
Supported attacks include TCP floods, Valve Source Engine query floods, GRE and OSPF protocol floods, ICMP and IGMP floods, TCP SYN/ACK/ACKPSH variants, and HTTP floods that attempt to simulate browser-like traffic.
Randomized headers, spoofed IPs, and variable payloads make Masjesu traffic harder to distinguish from legitimate flows and more difficult to filter with static rules.
Organizations using routers, gateways, or DVRs on the public internet should immediately patch and update firmware, paying special attention to models from vendors already linked to Masjesu exploits.
Default passwords must be replaced with strong, unique credentials, and IoT devices should be segmented from critical networks wherever possible.
Monitoring outbound traffic for unusual HTTP connections, Masjesu-specific user agents, and repeated contact with known C2 domains or fallback IPs can help detect infected nodes early.
Security teams should also watch for suspicious cron jobs, binaries masquerading as system components, and unexpected process name changes in system directories, and deploy behavior-based endpoint and network detection tools capable of spotting DDoS malware at runtime rather than relying only on signatures.
IOCs
| SHA256 Hash | Build architecture |
| f39b67fff1f106fb1b4fa9beb386427c8e7eb010f306ad0445da70bffc855f2e | MIPS |
| dfd830368724f6abcc542bc8b85e3d5fa2aedf8282d3805d0d6d53f45c7e0937 | ARM |
| de5fb68023465cb5d8ace412e11032d98a41bd6af2a83245c046020530130496 | AMD64 |
| d8018e31b77b135ed300a988757f409347d013b76f9c9a4972e48cb715f45967 | MIPS |
| cb4a3665ebd12bdb094b9fc188793c67ec3008363a49b1dde00d488b54df984b | 386 |
| b53d4781bbadb17014da280e274e11f2de9063a35f2eabd32d4596707b147306 | PowerPC |
| 4190491b9006404cab256d66125bd77b1c3a0e63451fbb3d829617d7e87acc9b | PowerPC |
| 85758df12964024af3ae829e3630f9ad5de7c55dae00181198033da8816e3293 | M68K |
| 8340ff8920412a70f0c29cdf72f6f218e61142b3f210e70e24811c413971a8ed | 386 |
| 620f6949b82f9ef987b7511fbbb09c2da57d8be47b019fa6a9686ce08b4c3e70 | ARM |
| 87f11a3ee2486bc4845a28465c2e70d2d9f98725edf4a73c3359c23a43ed74b7 | ARM |
| 9c683b0be86d4cd274a7a16073bdf092218f259b055a72f848d589574e9b8084 | ARM |
| 8ce9145fee0d3d2444554d901b334c36e71bb1346280ada7ff366cf9d25c5938 | SPARC |