Back to News
Cyber Attack

Masjesu IoT Botnet Rises as DDoS-for-Hire Threat to Routers and CDNs

CyberSecurityWaala 3 days ago Apr 8, 2026
Masjesu IoT Botnet Rises as DDoS-for-Hire Threat to Routers and CDNs

Security teams have uncovered a stealthy new botnet built to launch large distributed denial-of-service attacks. Researchers say it targets Internet of Things devices such as routers, gateways, cameras, DVRs, and NVRs.

What researchers found

Trellix researchers said the botnet is called Masjesu. NSFOCUS first documented the campaign in December 2023 and linked it to an operator going by “synmaestro,” NSFOCUS said. The malware is also marketed as XorBot because it uses XOR-based obfuscation to hide strings, configs, and payloads, NSFOCUS reported.

“Built for persistence and low visibility, Masjesu favors careful, low-key execution over widespread infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense to ensure long-term survival,” Trellix researcher Mohideen Abdul Khader F said in a report. The quote highlights the operator’s restraint and long-term focus, Trellix added.

How Masjesu spreads

Trellix said a later iteration of the botnet expanded its toolkit. It added about a dozen command injection and code execution exploits to gain initial access. The targets include devices from D-Link, Eir, GPON, Huawei, Intelbras, MVPower, NETGEAR, TP-Link, and Vacron, Trellix reported.

The malware probes random IP addresses for open ports. It specifically scans for port 52869, which is associated with the Realtek SDK miniigd daemon. Trellix noted that other botnets such as JenX and Satori used the same Realtek scanning method in previous campaigns.

Once a device is compromised, the code binds a socket to TCP port 55988. Trellix said the bind serves as a direct connection channel for the attacker. If the bind fails, the malware aborts the operation. If it succeeds, the bot sets persistence and hardens itself against termination.

What the botnet does on infected devices

Trellix reported the malware ignores termination signals and can stop common command-line tools like wget and curl. Researchers say that behavior likely disrupts competing botnets and prevents easy remediation. The bot then connects to external servers to receive DDoS commands and execute flood attacks.

Masjesu also includes self-propagation routines. It recruits newly compromised devices back into its infrastructure and expands the size of the bot pool. NSFOCUS said the actor advertises the service on Telegram and markets it as a DDoS-for-hire offering. “As an emerging botnet family, XorBot is showing a strong growth momentum,” NSFOCUS said in November 2024.

Targets and traffic patterns

Trellix warned that the botnet is suitable for high-volume attacks against content delivery networks, game servers, and enterprise targets. The company said observed attack traffic originated mainly from Vietnam, Ukraine, Iran, Brazil, Kenya, and India. Nearly half of the observed traffic came from Vietnam, Trellix added.

The operators appear to avoid certain IP ranges and sensitive targets. Trellix said Masjesu deliberately steers clear of blocklisted networks and critical organizations. “Avoiding high-profile targets likely improves its long-term survivability,” Trellix wrote.

What defenders should do

Network defenders should monitor outbound connections on unusual TCP ports, including 55988. Trellix recommended scanning for signs of persistence and unusual process terminations. NSFOCUS urged blocking known indicators and watching social channels like Telegram for recruitment activity.

Security teams should also prioritize patching of routers, gateways, and camera firmware. Trellix stressed that devices running exposed services or old SDKs remain high risk.

Masjesu shows how operators combine targeted exploitation with careful operational tradeoffs. Both Trellix and NSFOCUS say the botnet is growing but also deliberately cautious. That mix makes it harder to notice. It also makes the botnet more persistent over time.

For more on protecting your network infrastructure, see our guide on cybersecurity best practices. You can also learn more about the underlying technologies by reading about secure connections.

#Masjesu #IoTSecurity #DDoS #XorBot #BotnetThreat #Cybersecurity