Masjesu Botnet

Cybersecurity analysts have uncovered a highly covert botnet engineered specifically for distributed denial-of-service attacks. Known as Masjesu, this operation has been circulating since 2023 as a DDoS-for-hire service, primarily promoted through Telegram channels.

Rather than pursuing mass infections, the botnet adopts a restrained and calculated approach. Its design emphasizes persistence and stealth, deliberately avoiding high-profile targets such as networks associated with the Department of Defense. This strategy significantly reduces the likelihood of detection and takedown, allowing the operation to endure over time.

Dual Identity and Encrypted Operations

Masjesu is also referred to as XorBot, a name derived from its use of XOR-based encryption techniques. These methods are applied to obscure strings, configuration data, and payloads, complicating analysis and detection efforts.

The botnet was first documented in December 2023 and linked to an operator known as 'synmaestro.' From its earliest appearance, it demonstrated a clear focus on maintaining low visibility while enabling efficient remote control of compromised systems.

Expanding Arsenal and Exploitation Capabilities

A newer version of the botnet, observed approximately one year later, introduced significant enhancements. It incorporated multiple command injection and remote code execution exploits targeting a wide range of Internet of Things devices, including routers, cameras, DVRs, and NVRs from several major manufacturers.

These updates also included dedicated modules for executing high-volume DDoS flood attacks, reinforcing its role as a commercial attack service.

Key capabilities include:

• Exploitation of vulnerabilities across diverse IoT hardware architectures
• Integration of 12 distinct attack vectors for initial access
• Deployment of specialized modules for volumetric DDoS operations

Infection Workflow and Persistence Mechanisms

Once a device is compromised, the malware initiates a structured execution chain designed to maintain control and prevent interference. It establishes a socket bound to a hard-coded TCP port (55988), allowing direct communication with the attacker. If this step fails, the infection process terminates immediately.

If successful, the malware proceeds with persistence techniques, suppressing termination signals and disabling common utilities such as wget and curl, likely to eliminate competing malware. It then connects to an external command-and-control server to receive instructions and launch attacks against designated targets.

Self-Propagation and Strategic Targeting

Masjesu is equipped with self-propagation functionality, enabling it to scan random IP addresses for vulnerable systems. Once identified, these devices are incorporated into the botnet's infrastructure, expanding its operational capacity.

A notable tactic involves scanning for port 52869, associated with Realtek SDK's miniigd service, a method previously leveraged by other botnets such as JenX and Satori.

Geographic distribution of attack traffic shows concentration in:

• Vietnam (approximately 50% of observed activity)
• Ukraine, Iran, Brazil, Kenya, and India

Despite its aggressive expansion, the botnet avoids targeting critical or sensitive organizations. This deliberate restraint reduces legal exposure and enhances long-term survivability.

Commercialization and Growth Strategy

Masjesu continues to evolve as a structured cybercrime service. Its operators actively promote capabilities via Telegram, positioning it as a scalable solution for targeting content delivery networks, gaming infrastructure, and enterprise systems.

This reliance on social media platforms for recruitment and advertising has proven effective, enabling steady growth and attracting a customer base interested in launching DDoS attacks without technical expertise.

A Growing and Persistent Cyber Threat

As an emerging botnet family, Masjesu demonstrates strong momentum in both technical sophistication and operational expansion. Its combination of stealth, targeted exploitation, and commercial accessibility makes it a notable threat within the modern cybersecurity landscape.

By prioritizing persistence over visibility and leveraging evolving attack techniques, the botnet continues to infiltrate and control IoT environments across the globe while minimizing the risk of disruption.