Cybersecurity researchers have exposed a discreet botnet engineered for distributed denial-of-service (DDoS) attacks. # Masjesu Botnet Emerges as DDoS-for-Hire Service Dubbed **Masjesu**, this botnet has been advertised as a DDoS-for-hire service on Telegram since its emergence in 2023. It's designed to compromise a diverse range of IoT devices, including routers and gateways, across various architectures.  According to Mohideen Abdul Khader F, a security researcher at **Trellix**, "Built for persistence and low visibility, Masjesu favors careful, low-key execution over widespread infection, deliberately avoiding blocklisted IP ranges such as those belonging to the Department of Defense (**DoD**) to ensure long-term survival." # XorBot Connection and Evolution The commercial offering is also known as XorBot due to its use of XOR-based encryption for obfuscating strings, configurations, and payload data. **NSFOCUS** initially documented it in December 2023, attributing it to an operator named "synmaestro." A later iteration of the botnet added 12 command injection and code execution exploits, targeting routers, cameras, DVRs, and NVRs from vendors like **D-Link**, **Eir**, **GPON**, **Huawei**, **Intelbras**, **MVPower**, **NETGEAR**, **TP-Link**, and **Vacron**. These exploits are used for initial access, alongside new modules for conducting DDoS flood attacks. **NSFOCUS** noted in November 2024 that "As an emerging botnet family, XorBot is showing a strong growth momentum, continuously infiltrating and controlling new IoT devices… these controllers are increasingly inclined to use social media platforms such as Telegram as the main channels for recruitment and promotion."  # Attack Origins and Malware Behavior Trellix's research indicates that Masjesu markets its ability to launch volumetric DDoS attacks, emphasizing its diverse botnet infrastructure for targeting content delivery networks (CDNs), game servers, and enterprises. The majority of attacks originate from Vietnam, Ukraine, Iran, Brazil, Kenya, and India, with Vietnam accounting for approximately 50% of the observed traffic. Once deployed, the malware creates and binds a socket with a hard-coded TCP port (55988) to enable direct attacker connections. Failure of this operation terminates the attack chain. Successful deployment involves setting up persistence, ignoring termination signals, and stopping processes like `wget` and `curl`, potentially to disrupt competing botnets. The malware then connects to an external server to receive DDoS attack commands. # Self-Propagation and Realtek Router Exploitation Masjesu possesses self-propagating capabilities, probing random IP addresses for open ports to expand its infrastructure. A notable target is **Realtek** routers, exploited by scanning for port 52869, associated with Realtek SDK's `miniigd` daemon. Botnets like **JenX** and **Satori** have previously used similar approaches. Trellix concludes, "The botnet continues to expand by infecting a broad range of IoT devices across multiple architectures and manufacturers… Masjesu appears to avoid targeting sensitive critical organizations that could trigger significant legal or law-enforcement attention, a strategy that likely improves its long-term survivability."