Evasive Masjesu DDoS Botnet Targets IoT Devices

Trellix has dived into the inner workings of Masjesu, a botnet built for distributed denial-of-service (DDoS) attacks that has infected a variety of IoT devices. Masjesu has been active since at least 2023, with its operator mainly advertising it on Telegram as capable of launching DDoS attacks of hundreds of gigabytes in magnitude. The operator’s posts target both Chinese and English-speaking users, “suggesting that their services continue to target both Chinese and US customers,” Trellix says. Currently, the operator’s Telegram channel has over 400 subscribers, but the botnet’s userbase appears larger, as an initial channel promoting the botnet was closed by the platform for policy violations. Most of the devices ensnared by Masjesu are in Vietnam, an analysis of attack source countries shows. However, the botnet has also infected numerous devices in Brazil, India, Iran, Kenya, and Ukraine. “The data strongly suggests a distributed attack originating from multiple ASNs. This indicates the involvement of various networks, rather than the botnet being exclusively hosted on a single Virtual Private Server (VPS) provider,” Trellix notes. Recently analyzed Masjesu samples show it can target multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64. The botnet spreads through vulnerabilities in D-Link routers, GPON routers, Huawei home gateways, MVPower DVRs, Netgear routers, UPnP services, and other IoT devices. On the infected devices, the malware binds a socket with a hardcoded TCP port to provide operators with remote access and hardens itself for persistence. The malware stores sensitive strings – including command-and-control (C&C) domains, ports, folder names, and process names – encrypted in a lookup table and decrypts them at runtime. To achieve persistence, Masjesu starts by forking a new process and renaming its original executable path to mimic the path and function of a legitimate Linux dynamic linker. It then creates a cron job to run the renamed executable every 15 minutes, converts the process into a background daemon, and renames it to appear as a legitimate system component. The malware also terminates commonly used processes, such as wget and curl, and locks down shared temporary folders, likely to prevent infections from other botnets. To spread, it scans random IP addresses on the internet to find vulnerable devices it can infect. Masjesu uses multiple C&C domains and fallback IPs, configures a 60-second receive timeout on the socket connection to the C&C, and decrypts received data client-side. Based on the data received from the server, the botnet can launch various types of DDoS attacks, including UDP, TCP, VSE, GRE, RDP, OSPF, ICMP, IGMP, TCP_SYN, TCP-ACK, TCP-ACKPSH, and HTTP floods. Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Related: 174 Vulnerabilities Targeted by RondoDox Botnet Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise Data Medusa Ransomware Fast to Exploit Vulnerabilities, Breached Systems German Police Unmask REvil Ransomware Leader Google DeepMind Researchers Map Web Attacks Against AI Agents Guardarian Users Targeted With Malicious Strapi NPM Packages North Korean Hackers Target High-Profile Node.js Maintainers Fortinet Rushes Emergency Fixes for Exploited Zero-Day European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Latest News Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to Takeover US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks Anthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge Attacks The New Rules of Engagement: Matching Agentic Attack Speed Trent AI Emerges From Stealth With $13 Million in Funding Critical Flowise Vulnerability in Attacker Crosshairs Severe StrongBox Vulnerability Patched in Android Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea. Kai has named Nick Degnan as Chief Revenue Officer. Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. More People On The Move Expert Insights The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Email