Evasive Masjesu DDoS Botnet Targets IoT Devices

Summary

Trellix researchers analyzed Masjesu, a DDoS botnet active since at least 2023 that infects IoT devices including D-Link routers, GPON routers, Huawei gateways, MVPower DVRs, and Netgear routers. The botnet supports multiple architectures (i386, MIPS, ARM, SPARC, PPC, 68K, AMD64) and uses encrypted C&C domains, cron job persistence, and process renaming to evade detection. The operator markets the botnet on Telegram to Chinese and English-speaking customers and can launch various DDoS attack types (UDP, TCP, VSE, GRE, RDP, OSPF, ICMP, IGMP, SYN, ACK, HTTP floods) with hundreds of gigabytes in magnitude.

Full text

Trellix has dived into the inner workings of Masjesu, a botnet built for distributed denial-of-service (DDoS) attacks that has infected a variety of IoT devices. Masjesu has been active since at least 2023, with its operator mainly advertising it on Telegram as capable of launching DDoS attacks of hundreds of gigabytes in magnitude. The operator’s posts target both Chinese and English-speaking users, “suggesting that their services continue to target both Chinese and US customers,” Trellix says. Currently, the operator’s Telegram channel has over 400 subscribers, but the botnet’s userbase appears larger, as an initial channel promoting the botnet was closed by the platform for policy violations. Most of the devices ensnared by Masjesu are in Vietnam, an analysis of attack source countries shows. However, the botnet has also infected numerous devices in Brazil, India, Iran, Kenya, and Ukraine. “The data strongly suggests a distributed attack originating from multiple ASNs. This indicates the involvement of various networks, rather than the botnet being exclusively hosted on a single Virtual Private Server (VPS) provider,” Trellix notes.Advertisement. Scroll to continue reading. Recently analyzed Masjesu samples show it can target multiple architectures, including i386, MIPS, ARM, SPARC, PPC, 68K (Motorola 68000), and AMD64. The botnet spreads through vulnerabilities in D-Link routers, GPON routers, Huawei home gateways, MVPower DVRs, Netgear routers, UPnP services, and other IoT devices. On the infected devices, the malware binds a socket with a hardcoded TCP port to provide operators with remote access and hardens itself for persistence. The malware stores sensitive strings – including command-and-control (C&C) domains, ports, folder names, and process names – encrypted in a lookup table and decrypts them at runtime. To achieve persistence, Masjesu starts by forking a new process and renaming its original executable path to mimic the path and function of a legitimate Linux dynamic linker. It then creates a cron job to run the renamed executable every 15 minutes, converts the process into a background daemon, and renames it to appear as a legitimate system component. The malware also terminates commonly used processes, such as wget and curl, and locks down shared temporary folders, likely to prevent infections from other botnets. To spread, it scans random IP addresses on the internet to find vulnerable devices it can infect. Masjesu uses multiple C&C domains and fallback IPs, configures a 60-second receive timeout on the socket connection to the C&C, and decrypts received data client-side. Based on the data received from the server, the botnet can launch various types of DDoS attacks, including UDP, TCP, VSE, GRE, RDP, OSPF, ICMP, IGMP, TCP_SYN, TCP-ACK, TCP-ACKPSH, and HTTP floods. Related: Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Related: 174 Vulnerabilities Targeted by RondoDox Botnet Related: Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Related: Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire GrafanaGhost: Attackers Can Abuse Grafana to Leak Enterprise DataMedusa Ransomware Fast to Exploit Vulnerabilities, Breached SystemsGerman Police Unmask REvil Ransomware LeaderGoogle DeepMind Researchers Map Web Attacks Against AI AgentsGuardarian Users Targeted With Malicious Strapi NPM PackagesNorth Korean Hackers Target High-Profile Node.js MaintainersFortinet Rushes Emergency Fixes for Exploited Zero-DayEuropean Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Latest News Hackers Targeting Ninja Forms Vulnerability That Exposes WordPress Sites to TakeoverUS Disrupts Russian Espionage Operation Involving Hacked Routers and DNS HijackingIran-Linked Hackers Disrupt US Critical Infrastructure via PLC AttacksAnthropic Unveils ‘Claude Mythos’ – A Cybersecurity Breakthrough That Could Also Supercharge AttacksThe New Rules of Engagement: Matching Agentic Attack SpeedTrent AI Emerges From Stealth With $13 Million in FundingCritical Flowise Vulnerability in Attacker CrosshairsSevere StrongBox Vulnerability Patched in Android Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Masjesu

Entities